Showing papers on "Password published in 2020"

Unified Biometric Privacy Preserving Three-Factor Authentication and Key Agreement for Cloud-Assisted Autonomous Vehicles

Abstract: Autonomous vehicles (AVs) are increasingly common, although there remain a number of limitations that need to be addressed in order for their deployment to be more widespread. For example, to mitigate the failure of self-driving functions in AVs, introducing the remote control capability (which allows a human driver to operate the vehicle remotely in certain circumferences) is one of several countermeasures proposed. However, the remote control capability breaks the isolation of onboard driving systems and can be potentially exploited by malicious actors to take over control of the AVs; thus, risking the safety of the passengers and pedestrians (e.g., AVs are remotely taken over by terrorist groups to carry out coordinated attacks in places of mass gatherings). Therefore, security is a key, mandatory feature in the design of AVs. In this paper, we propose a cloud-centric three-factor authentication and key agreement protocol (CT-AKA) integrating passwords, biometrics and smart cards to ensure secure access to both cloud and AVs. Three typical biometric encryption approaches, including fuzzy vault, fuzzy commitment, and fuzzy extractor, are unified to achieve three-factor authentication without leaking the biometric privacy of users. Moreover, two session keys are negotiated in our protocol, namely: one between the user and AV to support secure remote control of the AV, and the other is negotiated between the mobile device and the cloud to introduce resilience to the compromise of ephemeral security parameters to ensure cloud data access security with a high security guarantee. Finally, we formally verify the security properties and evaluate the efficiency of CT-AKA, whose findings demonstrate that the protocol achieves high security strength with reasonable computation and communication costs.

A Secure Three-Factor User Authentication Protocol With Forward Secrecy for Wireless Medical Sensor Network Systems

Abstract: The Internet of Things (IoT) enables all objects to connect to the Internet and exchange data via different emerging technologies, which makes the intelligent identification and management a reality. Wireless sensor networks (WSNs), as a crucial basis of IoT, have been applied in many fields like smart health care and smart transportation. With the development of WSNs, data security has attracted more and more attention, and user authentication is a popular mechanism to ensure the information security of WSNs. Recently, many authentication mechanisms for wireless medical sensor networks (WMSNs) have been proposed, but most of the protocols cannot achieve the features of local password change and forward secrecy while resisting stolen smart card attack. To enhance the security based on previous work, an ECC-based secure three-factor authentication protocol with forward secrecy for WMSN is proposed in this paper. It utilizes a fuzzy commitment scheme to handle the biometric information. Meanwhile, fuzzy verifier and honey_list techniques are used to solve the contradiction of local password verification and mobile device lost attack. The security of our protocol is evaluated by provable security, Proverif tool, and information analysis. Besides, the comparisons with the relevant protocols are given, and the results indicate that our protocol is robust and secure for WMSN systems.

Anonymous Lightweight Chaotic Map-Based Authenticated Key Agreement Protocol for Industrial Internet of Things

Abstract: With an exponential increase in the popularity of Internet, the real-time data collected by various smart sensing devices can be analyzed remotely by a remote user (e.g., a manager) in the Industrial Internet of Things (IIoT). However, in the IIoT environment, the gathered real-time data is transmitted over the public channel, which raises the issues of security and privacy in this environment. Therefore, to protect illegal access by an adversary, user authentication mechanism is one of the promising security solutions in the IIoT environment. To achieve this goal, we propose a new user authenticated key agreement scheme in which only authorized users can access the services from the designated IoT sensing devices installed in the IIoT environment. In the proposed scheme, fuzzy extractor technique is used for biometric verification. Moreover, three factors, namely smart card, password and personal biometrics of a legal registered user are applied in the proposed scheme to increase the level of security in the system. The proposed scheme supports new devices addition after initial deployment of the devices, password/biometric change phase and also smart card revocation phase in case the smart card is lost or stolen by an adversary. In addition, the proposed scheme is lightweight in nature. We carry out the formal security analysis using the broadly accepted Real-Or-Random (ROR) model and also the non-mathematical (informal) security analysis on the proposed scheme. Furthermore, the formal security verification using the popularly-used AVISPA (Automated Validation of Internet Security Protocols and Applications) tool is carried out on the proposed scheme. The detailed security analysis assures that the proposed scheme can withstand several well-known attacks in the IIoT environment. A practical demonstration using the NS2 simulation study is also performed for the proposed scheme and other related existing schemes. Also, a detailed comparative study shows that the proposed scheme is efficient, and provides superior security in comparison to the other schemes.

A Novel Approach to View and Modify Data in Cloud Environment Using Attribute-Based Encryption

Abstract: The Big data and cloud integration is a challenging Task. To enhance the data security issues, ABE can be deployed. In proposed model, a improved concept has been implemented and the integration of cloud and Big data is achieved. Security is the major threat for cloud computing applications. Every user has to feed user name, password, and primary key for Data access into the cloud data center. Data owner generates a new key to the users for accessing the data. Policy updating is also implemented in the proposed system, that is the accountability for the data access has also been implemented. In case of the change of policy, the altered data stored in the cloud is not affected. In addition to that, admin generates policy key based on the user’s profile. If any user tries to misbehave, an immediate alert is sent to the data owner. Data owner can change the policy key and access policy in the run time. Our system should be able to update its policy automatically.

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd

Abstract: The WPA3 certification aims to secure home networks, while EAP-pwd is used by certain enterprise Wi-Fi networks to authenticate users. Both use the Dragonfly handshake to provide forward secrecy and resistance to dictionary attacks. In this paper, we systematically evaluate Dragonfly’s security. First, we audit implementations, and present timing leaks and authentication bypasses in EAP-pwd and WPA3 daemons. We then study Dragonfly’s design and discuss downgrade and denial-of-service attacks. Our next and main results are side-channel attacks against Dragonfly’s password encoding method (e.g. hash-to-curve). We believe that these side-channel leaks are inherent to Dragonfly. For example, after our initial disclosure, patched software was still affected by a novel side-channel leak. We also analyze the complexity of using the leaked information to brute-force the password. For instance, brute-forcing a dictionary of size 1010 requires less than $1 in Amazon EC2 instances. These results are also of general interest due to ongoing standardization efforts on Dragonfly as a TLS handshake, Password-Authenticated Key Exchanges (PAKEs), and hash-to-curve. Finally, we discuss backwards-compatible defenses, and propose protocol fixes that prevent attacks. Our work resulted in a new draft of the protocols incorporating our proposed design changes.

A Secure Framework for Authentication and Encryption Using Improved ECC for IoT-Based Medical Sensor Data

Abstract: Mobile users are increasing exponentially to adopt ubiquitous services offered by various sectors. This has attracted attention for a secure communication framework to access e-health data on mobile devices. The wearable sensor device is attached to the patient's body which monitors the blood pressure, body temperature, serum cholesterol, glucose level, etc. In the proposed secure framework, first, the task starts with the patient authentication, after that the sensors device linked to the patient is activated and the sensor values of the patient are transmitted to the cloud server. The patient's biometrics information has been added as a parameter in addition to the user name and password. The authentication scheme is coined with the SHA-512 algorithm that ensures integrity. To securely send the sensor information, the method follows two kinds of encryption: Substitution-Ceaser cipher and improved Elliptical Curve Cryptography (IECC). Whereas in improved ECC, an additional key (secret key) is generated to enhance the system's security. In this way, the intricacy of the two phases is augmented. The computational cost of the scheme in the proposed framework is 4H + Ec + Dc which is less than the existing schemes. The average correlation coefficient value is about 0.045 which is close to zero shows the strength of the algorithm. The obtained encryption and decryption time are 1.032 μs and 1.004μs respectively. The overall performance is analyzed by comparing the proposed improved ECC with existing Rivest-Shamir-Adleman (RSA)and ECC algorithms.

Certificateless-Signcryption-Based Three-Factor User Access Control Scheme for IoT Environment

Abstract: User access control is a crucial requirement in any Internet of Things (IoT) deployment, as it allows one to provide authorization, authentication, and revocation of a registered legitimate user to access real-time information and/or service directly from the IoT devices. To complement the existing literature, we design a new three-factor certificateless-signcryption-based user access control for the IoT environment (CSUAC-IoT). Specifically, in our scheme, a user $U$ ’s password, personal biometrics, and mobile device are used as the three authentication factors. By executing the login and access control phase of CSUAC-IoT, a registered user $(U)$ and a designated smart device $(S_{i})$ can authorize and authenticate mutually via the trusted gateway node (GN) in a particular cell of the IoT environment. In our setting, the environment is partitioned into disjoint cells, and each cell will contain a certain number of IoT devices along with a GN. With the established session key between $U$ and $S_{i}$ , both entities can then communicate securely. In addition, CSUAC-IoT supports new IoT devices deployment, user revocation, and password/biometric update functionality features. We prove the security of CSUAC-IoT under the real-or-random (ROR) model, and demonstrate that it can resist several common attacks found in a typical IoT environment using the AVISPA tool. A comparative analysis also reveals that CSUAC-IoT achieves better tradeoff for security and functionality, and computational and communication costs, in comparison to five other competing approaches.

Behavioral Biometrics for Continuous Authentication in the Internet-of-Things Era: An Artificial Intelligence Perspective

Abstract: In the Internet-of-Things (IoT) era, user authentication is essential to ensure the security of connected devices and the customization of passive services However, conventional knowledge-based and physiological biometric-based authentication systems (eg, password, face recognition, and fingerprints) are susceptible to shoulder surfing attacks, smudge attacks, and heat attacks The powerful sensing capabilities of IoT devices, including smartphones, wearables, robots, and autonomous vehicles enable continuous authentication (CA) based on behavioral biometrics The artificial intelligence (AI) approaches hold significant promise in sifting through large volumes of heterogeneous biometrics data to offer unprecedented user authentication and user identification capabilities In this survey article, we outline the nature of CA in IoT applications, highlight the key behavioral signals, and summarize the extant solutions from an AI perspective Based on our systematic and comprehensive analysis, we discuss the challenges and promising future directions to guide the next generation of AI-based CA research

A Lightweight ECC-Based Authentication Scheme for Internet of Things (IoT)

Abstract: Internet of Things (IoT) enables the interconnection of physical and virtual objects that are managed by various types of hardware, software, and communication technologies. The large-scale deployment of IoT is actually enabling smart cities, smart factories, smart health, and many other applications and initiatives all over the world. Indeed, according to a recent Gartner study, 50 billion connected objects will be deployed by 2020. IoT will make our cities and daily applications smart. However, IoT technologies also open up multiple risks and privacy issues. Due to hardware limitations of IoT objects, implementing and deploying robust and efficient security and privacy solutions for the IoT environment remains a significant challenge. One-time password (OTP) is an authentication scheme that represents a promising solution for IoT and smart cities environments. We extend the OTP principle and propose a novel approach of OTP generation that relies on elliptic curve cryptography and isogeny in order to ensure IoT security. We evaluate the efficacy of our approach with a real implementation and compared its performance with two other approaches namely, hash message authentication code-based OTP and time-based OTP. The performance results obtained demonstrate the efficiency and effectiveness of our approach in terms of security and performance.

Securing Multimedia by Using DNA-Based Encryption in the Cloud Computing Environment

Abstract: Today, the size of a multimedia file is increasing day by day from gigabytes to terabytes or even petabytes, mainly because of the evolution of a large amount of real-time data. As most of the multimedia files are transmitted through the internet, hackers and attackers try to access the users’ personal and confidential data without any authorization. Thus, maintaining a strong security technique has become a significant concerned to protect the personal information. Deoxyribonucleic Acid (DNA) computing is an advanced field for improving security, which is based on the biological concept of DNA. A novel DNA-based encryption scheme is proposed in this article for protecting multimedia files in the cloud computing environment. Here, a 1024-bit secret key is generated based on DNA computing and the user's attributes and password to encrypt any multimedia file. To generate the secret key, the decimal encoding rule, American Standard Code for Information Interchange value, DNA reference key, and complementary rule are used, which enable the system to protect the multimedia file against many security attacks. Experimental results, as well as theoretical analyses, show the efficiency of the proposed scheme over some well-known existing schemes.

Efficient deep learning techniques for the detection of phishing websites

Abstract: Phishing is a fraudulent practice and a form of cyber-attack designed and executed with the sole purpose of gathering sensitive information by masquerading the genuine websites Phishers fool users by replicating the original and genuine contents to reveal personal information such as security number, credit card number, password, etc There are many anti-phishing techniques such as blacklist- or whitelist-, heuristic-feature- and visual-similarity-based methods proposed as of today Modern browsers adapt to reduce the chances of users getting trapped into a vicious agenda, but still users fall as prey to phishers and end up revealing their secret information In a previous work, the authors proposed a machine learning approach based on heuristic features for phishing website detection and achieved an accuracy of 995% using 18 features In this paper, we have proposed novel phishing URL detection models using (a) Deep Neural Network (DNN), (b) Long Short-Term Memory (LSTM) and (c) Convolution Neural Network (CNN) using only 10 features of our earlier work The proposed technique achieves an accuracy of 9952% for DNN, 9957% for LSTM and 9943% for CNN The proposed techniques utilize only one third-party service feature, thus making it more robust to failure and increases the speed of phishing detection

On the Design of Secure and Efficient Three-Factor Authentication Protocol Using Honey List for Wireless Sensor Networks

Abstract: The Internet of Thing (IoT) is useful for connecting and collecting variable data of objects through the Internet, which makes to generate useful data for humanity. An indispensable enabler of IoT is the wireless sensor networks (WSNs). Many environments, such as smart healthcare, smart transportation and smart grid, have adopted WSN. Nonetheless, WSNs remain vulnerable to variety of attacks because they send and receive data over public channels. Moreover, the performance of IoT enabled sensor devices has limitations since the sensors are lightweight devices and are resource constrained. To overcome these problems, many security authentication protocols for WSNs have been proposed. However, many researchers have pointed out that preventing smartcard stolen and off-line guessing attacks is an important security issue, and guessing identity and password at the same time is still possible. To address these weaknesses, this paper presents a secure and efficient authentication protocol based on three-factor authentication by taking advantage of biometrics. Meanwhile, the proposed protocol uses a honey_list technique to protect against brute force and stolen smartcard attacks. By using the honey_list technique and three factors, the proposed protocol can provide security even if two of the three factors are compromised. Considering the limited performance of the sensors, we propose an efficient protocol using only hash functions excluding the public key based elliptic curve cryptography. For security evaluation of the proposed authentication protocol, we perform informal security analysis, and Real-Or-Random (ROR) model-based and Burrows Abadi Needham (BAN) logic based formal security analysis. We also perform the formal verification using the widely-used Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation software. Besides, compared to previous researches, we demonstrate that our proposed authentication protocol for WSNs systems is more suitable and secure than others.

You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion

Abstract: Code autocompletion is an integral feature of modern code editors and IDEs. The latest generation of autocompleters uses neural language models, trained on public open-source code repositories, to suggest likely (not just statically feasible) completions given the current context. We demonstrate that neural code autocompleters are vulnerable to poisoning attacks. By adding a few specially-crafted files to the autocompleter's training corpus (data poisoning), or else by directly fine-tuning the autocompleter on these files (model poisoning), the attacker can influence its suggestions for attacker-chosen contexts. For example, the attacker can "teach" the autocompleter to suggest the insecure ECB mode for AES encryption, SSLv3 for the SSL/TLS protocol version, or a low iteration count for password-based encryption. Moreover, we show that these attacks can be targeted: an autocompleter poisoned by a targeted attack is much more likely to suggest the insecure completion for files from a specific repo or specific developer. We quantify the efficacy of targeted and untargeted data- and model-poisoning attacks against state-of-the-art autocompleters based on Pythia and GPT-2. We then evaluate existing defenses against poisoning attacks and show that they are largely ineffective.

Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication

Abstract: The newest contender for succeeding passwords as the incumbent web authentication scheme is the FIDO2 standard. Jointly developed and backed by the FIDO Alliance and the W3C, FIDO2 has found support in virtually every browser, finds increasing support by service providers, and has adoptions beyond browser-software on its way. While it supports MFA and 2FA, its single-factor, passwordless authentication with security tokens has received the bulk of attention and was hailed by its supporters and the media as the solution that will replace text-passwords on the web. Despite its obvious security and deployability benefits—a setting that no prior solution had in this strong combination—the paradigm shift from a familiar knowledge factor to purely a possession factor raises questions about the acceptance of passwordless authentication by end-users.This paper presents the first large-scale lab study of FIDO2 single-factor authentication to collect insights about end-users’ perception, acceptance, and concerns about passwordless authentication. Through hands-on tasks our participants gather first-hand experience with passwordless authentication using a security key, which they afterwards reflect on in a survey. Our results show that users are willing to accept a direct replacement of text-based passwords with a security key for single-factor authentication. That is an encouraging result in the quest to replace passwords. But, our results also identify new concerns that can potentially hinder the widespread adoption of FIDO2 passwordless authentication. In order to mitigate these factors, we derive concrete recommendations to try to help in the ongoing proliferation of passwordless authentication on the web.

Hiding Shares of Counting-Based Secret Sharing via Arabic Text Steganography for Personal Usage

Abstract: This paper presented new models to hide sensitive data via Arabic text steganography. The models are structured to serve personal remembrance of secret shares to be used within counting-based secret sharing technique. This research hides secret shares adopting humanized remembrance tool to serve uncontrolled assigned shares, which are generated from the security system via automatically authentic target key generation process. The shares in their original secret sharing process are challenging to be memorized unlike normal password assignment that is enjoying the full personal selection. Therefore, our models for hiding secret shares are proposed to be hidden inside the personally chosen texts utilizing improved Arabic text steganography. This steganography models study is based on Kashida extension character used redundant within Arabic writing text. The research tests our two proposed modifications to original Arabic text steganography all serving secret sharing on the same text database. The comparisons examined the different models on the same benchmark of Imam Nawawi’s forty hadeeth collected by Islamic Scholar: Yahya ibn Sharaf an-Nawawi as standard text statements (40 Prophet Hadiths) showing interesting results and promising research contributions.

A Low-Overhead, Confidentiality-Assured, and Authenticated Data Acquisition Framework for IoT

Abstract: In the presence of several critical issues during data acquisition in industrial-informatics-based applications, like Internet of Things (IoT) and smart grid, this article proposes a novel framework based on compressive sensing (CS) and a cascade chaotic system (CCS). This framework can ensure low overhead, confidentiality, and authentication. Based on CS and the CCS, three technologies, including CCS-driven CS, CCS-driven local perturbation, and authentication mechanism, are introduced in the proposed data acquisition framework in this article. CCS-driven CS generates the measurement matrix with chaotic initial conditions and avoids the transmission of a large-size measurement matrix. CCS-driven local perturbation only perturbs a small number of elements in the original measurement matrix for each sampling and avoids the regeneration of the large-size measurement matrix. The authentication mechanism employs the authentication password and the access password to deal with the passive tampering attack and the active tampering attack, respectively. Moreover, the permutation-diffusion structure is used to encrypt the obtained measurements to enhance the security. Both theoretical and experimental analyses validate low overhead, confidentiality, and effective authentication of the proposed data acquisition framework for a number of industrial-informatics-based applications, such as IoT.

ESEAP: ECC based secure and efficient mutual authentication protocol using smart card

Abstract: Smart card based user server mutual authentication framework is famous for safe communication via unfavorable and insecure communication system. The authenticated user and server communicate to each other and share information via Internet. Recently, Wang et al. suggested a lightweight password-assisted two factor authentication framework using smart card. We reviewed their scheme and observed that it does maintain security and privacy off-line password guessing attack and also impersonation attack. We proposed enhance elliptic curve cryptography(ECC) based authentication framework for the same environment. The proposed scheme ESEAP is secure resilience of many attractive security attributes and features like off-line password guessing attack, no password verifier-table, smart card loss attack, anonymity, mutual authentication, replay attack, impersonation attack, server spooling attack, no clock-synchronization attack, forward secrecy, insider attack, message authentication, provision of key agreement, parallel attack, sound repairability, no password exposure, timely typo detection, resistance to know attacks, password friendly, user unlinkability and server unlinkability. Further, the paper shows formal security analysis of the ESEAP which based on random oracle model. We compared the presented protocol with other related protocols in the same environment, and show that ESEAP is more efficient in terms of computation and communication cost. As a result, the presented protocol can be utilized over public communication channel.

The password is dead, long live the password – A laboratory study on user perceptions of authentication schemes

Abstract: Password authentication is still ubiquitous although alternatives have been developed to overcome its shortcomings such as high cognitive load for users. Using an objective rating scheme Bonneau et al. (2012) demonstrated that replacing the password poses a quest that yet remains unsolved. To shine light on this intractable issue we turn towards subjective user perceptions that influence acceptance and actual use of authentication schemes. We first conducted an extensive rating of objective features of authentication schemes to inform our selection of schemes for this research. Building on the findings thereof, 41 users interacted with twelve different authentication schemes in a laboratory study. The participants’ ratings revealed that the password followed by fingerprint authentication scored highest in terms of preference, usability, intention to use and lowest in terms of expected problems and effort. Usability and effort seem to be important factors for users’ preference rating whereas security and privacy ratings were not correlated with preference. One reason for these factors to fall behind might be their opacity and the resulting difficulty to evaluate them from a user perspective. Further, security and usability perceptions deviated from objective factors and should therefore be carefully considered before making decisions in terms of authentication. Suggestions for making security and privacy features more tangible and to allow for an easier integration in the users’ decision process are discussed.

Quantum-Safe Round-Optimal Password Authentication for Mobile Devices

Abstract: However, most of the existing asymmetric-PAKE protocols either are based on traditional hash functions under random oracles or depend on non-quantum-secure hardness assumptions and remain insecure in the quantum era. To bridge the gap between the asymmetric-PAKE and quantum-safe, in this paper, we resort to smooth projective hash functions (SPHF) and commitment-based password-hashing schemes (PHS) over lattice-based cryptography, and we propose the construction of round-optimal asymmetric PAKE protocol secure against quantum attacks. Our construction eliminates the costly non-interactive zero-knowledge (NIZK) method, bypasses assumptions of the random oracle model, and achieves quantum resistance. We also show that our asymmetric-PAKE protocol can achieve balanced security and robustness under the Bellare-Pointcheval-Rogaway (BPR) model. Finally, we develop a prototype implementation of our instantiation and use it to evaluate its performance in realistic settings.

BioTouchPass2: Touchscreen Password Biometrics Using Time-Aligned Recurrent Neural Networks

Abstract: Passwords are still used on a daily basis for all kind of applications. However, they are not secure enough by themselves in many cases. This work enhances password scenarios through two-factor authentication asking the users to draw each character of the password instead of typing them as usual. The main contributions of this study are as follows: i) We present the novel MobileTouchDB public database, acquired in an unsupervised mobile scenario with no restrictions in terms of position, posture, and devices. This database contains more than 64K on-line character samples performed by 217 users, with 94 different smartphone models, and up to 6 acquisition sessions. ii) We perform a complete analysis of the proposed approach considering both traditional authentication systems such as Dynamic Time Warping (DTW) and novel approaches based on Recurrent Neural Networks (RNNs). In addition, we present a novel approach named Time-Aligned Recurrent Neural Networks (TA-RNNs). This approach combines the potential of DTW and RNNs to train more robust systems against attacks. A complete analysis of the proposed approach is carried out using both MobileTouchDB and e-BioDigitDB databases. Our proposed TA-RNN system outperforms the state of the art, achieving a final 2.38% Equal Error Rate, using just a 4-digit password and one training sample per character. These results encourage the deployment of our proposed approach in comparison with traditional typed-based password systems where the attack would have 100% success rate under the same impostor scenario.

SLIM: A Lightweight Block Cipher for Internet of Health Things

Abstract: Nowadays, there is a strong demand for increasing the protection of resource-constrained devices such as Radio frequency identification (RFID) systems. Current cryptographic algorithms are sufficient for high-resource desktop computers. RFID systems are commonly used in high-security applications such as access control systems, transaction banking systems, and payment systems. The attacker attempts to mislead RFIDs for unauthorized access to services without payment or to circumvent security mechanisms by detecting a secret password. The biggest challenge in RFID systems is how to ensure successful protection against such infringements. Lightweight cryptography can provide security assurance for protecting RFID systems. This article presents a new ultra-lightweight cryptography algorithm for RFID systems called SLIM. SLIM is a 32-bit block cipher based on the Feistel structure since block ciphers are the most used cryptographic and provide very tight protection for IoT devices. The key challenge in designing a lightweight block cipher is to cope with performance, cost, and security. SLIM, like all symmetric block cipher, uses the same key for encryption and decryption. The proposed algorithm has an excellent performance in both hardware and software environments, with a limited implementation area, an acceptable cost/security for RFID systems, and an energy-efficient behaviour. SLIM has demonstrated high immunity against the most effective linear and differential cryptanalysis attacks and has a sufficient margin of defence against these attacks.

THP: A Novel Authentication Scheme to Prevent Multiple Attacks in SDN-Based IoT Network

Abstract: SDN has provided significant convenience for network providers and operators in cloud computing. Such a great advantage is extending to the Internet of Things network. However, it also increases the risk if the security of an SDN network is compromised. For example, if the network operator’s permission is illegally obtained by a hacker, he/she can control the entry of the SDN network. Therefore, an effective authentication scheme is needed to fit various application scenarios with high-security requirements. In this article, we design, implement, and evaluate a new authentication scheme called the hidden pattern (THP), which combines graphics password and digital challenge value to prevent multiple types of authentication attacks at the same time. We examined THP in the perspectives of both security and usability, with a total number of 694 participants in 63 days. Our evaluation shows that THP can provide better performance than the existing schemes in terms of security and usability.

A review on performance,security and various biometric template protection schemes for biometric authentication systems

Abstract: Identifying a person based on their behavioral and biological qualities in an automated manner is called biometrics. The authentication system substituting traditional password and token for authentication and relies gradually on biometric authentication methods for verification of the identity of an individual. This proves the fact that society has started depending on biometric-based authentication systems. Security of biometric authentication needs to be reviewed and discussed as there are multiple points related to integrity and public reception of biometric-based authentication systems. Security and recognition accuracy are the two most important aspects which must be considered while designing biometric authentication systems. During enrollment phase scanning of biometric data is done to determine a set of distinct biometric feature set known as biometric template. Protection of biometric templates from various hacking efforts is a topic of vital importance as unlike passwords or tokens, compromised biometric templates cannot be reissued. Therefore, giving powerful protection techniques for biometric templates and still at that very moment preparing great identification accuracy is a good research problem nowadays, as well as in the future. Furthermore, efficiency under non-ideal conditions is also supposed to be inadequate and thus needs special attention in the design of a biometric authentication system. Disclosure of various biometric traits in miscellaneous applications creates a severe compromise on the privacy of the user. Biometric authentication can be utilized for remote user authentication. In this case, the biometric data of users typically called templates are stored in a server. The uniqueness and stability of biometrics ended it useful over traditional authentication systems. But, a similar thing made the enduring harm of a user’s identity in biometric systems. The architecture of the biometric system leads to several hazards that lead to numerous security concerns and privacy threats. To address this issue, biometric templates are secured using several schemes that are categorized as biometric cryptosystems, cancelable biometrics, hybrid methods, Homomorphic Encryption, visual cryptography based methods. Biometric cryptosystems and cancelable biometrics techniques provide reliable biometric security at a great level. However, there persist numerous concerns and encounters that are being faced during the deployment of these protection technologies. This paper reviews and analyses various biometric template protection methods. This review paper also reflects the limitations of various biometric template protection methods being used in present times and highlights the scope of future work.

A Novel Ensemble Machine Learning Method to Detect Phishing Attack

Abstract: Currently and particularly with remote working scenarios during COVID-19, phishing attack has become one of the most significant threats faced by internet users, organizations, and service providers. In a phishing attack, the attacker tries to steal client sensitive data (such as login, passwords, and credit card details) using spoofed emails and fake websites. Cybercriminals, hacktivists, and nation-state spy agencies have now got a fertilized ground to deploy their latest innovative phishing attacks. Timely detection of phishing attacks has become most crucial than ever. Machine learning algorithms can be used to accurately detect phishing attacks before a user is harmed. This paper presents a novel ensemble model to detect phishing attacks on the website. We select three machine learning classifiers: Artificial Neural Network (ANN), K-Nearest Neighbors (KNN), and Decision Tree (C4.5) to use in an ensemble method with Random Forest Classifier (RFC). This ensemble method effectively detects website phishing attacks with better accuracy than existing studies. Experimental results demonstrate that the ensemble of KNN and RFC detects phishing attacks with 97.33% accuracy.

RubikAuth: Fast and Secure Authentication in Virtual Reality

Abstract: There is a growing need for usable and secure authentication in virtual reality (VR). Established concepts (e.g., 2D graphical PINs) are vulnerable to observation attacks, and proposed alternatives are relatively slow. We present RubikAuth, a novel authentication scheme for VR where users authenticate quickly by selecting digits from a virtual 3D cube that is manipulated with a handheld controller. We report two studies comparing how pointing using gaze, head pose, and controller tapping impacts RubikAuth's usability and observation resistance under three realistic threat models. Entering a four-symbol RubikAuth password is fast: 1.69 s to 3.5 s using controller tapping, 2.35 s to 4.68 s using head pose, and 2.39 s to 4.92 s using gaze and highly resilient to observations; 97.78% to 100% of observation attacks were unsuccessful. Our results suggest that providing attackers with support material contributes to more realistic security evaluations.

Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements

Abstract: Multiple mechanisms exist to encourage users to create stronger passwords, including minimum-length and character-class requirements, prohibiting blocklisted passwords, and giving feedback on the strength of candidate passwords. Despite much research, there is little definitive, scientific guidance on how these mechanisms should be combined and configured to best effect. Through two online experiments, we evaluated combinations of minimum-length and character-class requirements, blocklists, and a minimum-strength requirement that requires passwords to exceed a strength threshold according to neural-network-driven password-strength estimates. Our results lead to concrete recommendations for policy configurations that produce a good balance of security and usability. In particular, for high-value user accounts we recommend policies that combine minimum-strength and minimum-length requirements. While we offer recommendations for organizations required to use blocklists, using blocklists does not provide further gains. Interestingly, we also find that against expert attackers, character-class requirements, traditionally associated with producing stronger passwords, in practice may provide very little improvement and may even reduce effective security.