Article

A decentralized open web cryptographic standard

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Security in web services is not well defined and is largely based on measures employed by the organization providing the service, the effectiveness of which vary greatly depending on the expertise, implementation, and business motivation. To address the mentioned issue, this paper proposes an open standard called Decentralized Open Web Cryptographic Standard (DOWCS) and reference implementation for decentralized protection of sensitive data. Services may adhere to the standards, to assure security to the end-user. Taking OAuth and PGP as reference models, the standard incorporates multiple layers of security to ensure secrecy of the said data while also decentralizing the key information required to derive the confidential data from the encrypted format.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Security validation of the proposed system is performed using the Automated Validation of Internet Security Protocols (AVISPA) tool [33], [34]. AVISPA Security tool analyzes the theoretical workflow of the security logic and returns any security flaw or vulnerability that could be exploited on the same. ...
Full-text available
Article
The twenty first century has witnessed an enormous rise in data produced per person and it has also witnessed newer and advanced forms of digital attacks and instinctively, witnessed a rise in the need for data protection. However, the essential assets are still physical and needs to be protected. Usually vaults, lockers, safes and so on and used for the safe keeping of the physical assets. However, studies have shown they are vulnerable to various attacks. This paper proposes a novel and robust physical lock for safekeeping of physical assets called Loki. A Physical Security key is used to authenticate the lock and it uses a cloud-server architecture. It employs best cloud security practices, proper use of cryptography and trusted computing to mitigate all common risks. The cloud architecture runs a Virtual Machine (VM) to securely authenticate using Fast IDentity Online (FIDO2) specifications. The physical authenticator data is stored in the cloud for security and only accessed when an unlock is requested. The cloud allows web-based physical key management for adding more keys or removing keys. The whole system has been implemented in a Internet of Things (IoT) scenario.
Article
The growth and development of Cloud Computing from its inception till today has made a tremendous progress and the evident of the same is seen in every walk of life. However considering data security there is a big hiatus. It is consistently under threat besides many guards. This in turn has created a research gap to find out the secure guard for Data Security. Data security is primarily dependent on encryption algorithms to secure data in the CC environment. Thus the encryption algorithm plays a predominant role in Cloud Storage (CS) which is a place to store all the data of the users or data owners. Hence the usage of CS has become inevitable in almost all fields including education, industry, business and the usage of the same is grown in leaps and bounds particularly in the pandemic. The metamorphosis of the encryption algorithm (i.e. AES, Triple DES, and Blowfish) has a complex formation to secure the data. However complex the formation is; it fails to cope with the modern-day processer evaluation. The complexity level tends to be low considering the performance of the modern-day processer evaluation. Hence an alternate solution is demanded and this research paper has attempted to meet the demand by introducing the new multi-layered cryptographic algorithm named as UK to secure the CS data. This UK algorithm follows an entirely new transformation procedure to secure the data. It creates huge complexity in reasonable encryption time, even though brute force needs to be more complex ever. The key and Metadata are not stored in any place so that the CS service provider will not be able to do anything in this structure. In this case, the database service providers have the hold of the encrypted data of the user which cannot be accessed by any attacking techniques. Hence, the CS provider becomes the warehouse maintainer.
Article
Integrated Intelligent Transportation System (IITS) is built by the emergence of the Internet of Vehicles (IoV) and the employment of the Internet of Things (IoT) in the transportation field for improving traffic efficiency, avoiding accidents, and improving the safety experience in driving. Large-scale networks, dynamic topology structure, uneven nodes distribution, and unlimited mobility are the characteristics of IITS. It increased the risk of a variety of attacks related to authentication, credentials, availability, privacy, routing, and legitimacy of data. Distributed Denial of Service (DDoS) flooding attack plays a vital role in impairing Road Side Units (RSU) of IITS and is capable of evading classical data filtering methods. In this paper, a novel DDoS flooding attack detection method is proposed for ensuring the security of IITS by employing reinforcement learning. The proposed framework is implemented by addressing the security requirements of ITS and overcoming the flaws of existing detection methods in advanced vehicular systems. In addition, the Q learning algorithm is designed along with the framework. Other attacks, in addition to DDoS flooding attacks, should be mitigated in the future to ensure a completely secure connection.
Full-text available
Article
The goal of this study is to extend the guarantees provided by the secure transmission protocols such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and apply them to the application layer. This paper proposes a comprehensive scheme that allows the unification of multiple security mechanisms, thereby removing the burden of authentication, mutual authentication, continuous authentication, and session management from the application development life-cycle. The proposed scheme will allow creation of high-level security mechanisms such as access control and group authentication on top of the extended security provisions. This scheme effectively eliminates the need for session cookies, session tokens and any similar technique currently in use. Hence reducing the attack surface and nullifying a vast group of attack vectors.
Full-text available
Article
The Internet of Things is currently getting significant interest from the scientific community. Academia and industry are both focused on moving ahead in attempts to enhance usability, maintainability, and security through standardization and development of best practices. We focus on security because of its impact as one of the most limiting factors to wider Internet of Things adoption. Numerous research areas exist in the security domain, ranging from cryptography to network security to identity management. This paper provides a survey of existing research applicable to the Internet of Things environment at the application layer in the areas of identity management, authentication, and authorization. We survey and analyze more than 200 articles, categorize them, and present current trends in the Internet of Things security domain.
Full-text available
Article
In today's internet era, with online transactions almost every second and terabytes of data being generated everyday on the internet, securing information is a challenge. Cryptography is an integral part of modern world information security making the virtual world a safer place. Cryptography is a process of making information unintelligible to an unauthorized person. Hence, providing confidentiality to genuine users. There are various cryptographic algorithms that can be used. Ideally, a user needs a cryptographic algorithm which is of low cost and high performance. However, in reality such algorithm which is a one stop solution does not exist. There are several algorithms with a cost performance trade off. For example, a banking application requires utmost security at high cost and a gaming application sending player pattern for analytics does not bother much about security but needs to be fast and cost effective. Thus, amongst the cryptographic algorithms existing, we choose an algorithm which best fits the user requirements. In, this process of choosing cryptographic algorithms, a study of strengths, weakness, cost and performance of each algorithm will provide valuable insights. In our paper, we have implemented and analyzed in detail cost and performance of popularly used cryptographic algorithms DES, 3DES, AES, RSA and blowfish to show an overall performance analysis, unlike only theoretical comparisons.
Full-text available
Article
We survey recent work on the elliptic curve discrete logarithm problem. In particular we review index calculus algorithms using summation polynomials, and claims about their complexity.
Full-text available
Article
Named Data networking ensure data integrity so that every important data has to be signed by its owner in order to send it safely inside the network. Similarly, in NDN we have to assure that none could open the data except authorized users. Since only the endpoints have the right to sign the data or check its validity during the verification process, we have considered that the data could be requested from various types of devices used by different people, these devices could be anything like a smartphone, PC, sensor node with a different CPU descriptions, parameters, and memory sizes, however their ability to check the high traffic of a data during the key generation and verification period is definitely a hard task and it could exhaust the systems with low computational resources. RSA and ECDSA as digital signature algorithms have proven their efficiency against cyber attacks, they are characterized by their speed to encrypt and decrypt data, in addition to their competence at checking the data integrity. The main purpose of our research was to find the optimal algorithm that avoids the systems overhead and offers the best time during the signature scheme
Full-text available
Article
The most popular encryption scheme based on elliptic curves is the Elliptic Curve Integrated Encryption Scheme (ECIES), which is included in ANSI X9.63, IEEE 1363a, ISO/IEC 18033-2, and SECG SEC 1. These standards offer many ECIES options, not always compatible, making it difficult to decide what parameters and cryptographic elements to use in a specific deployment scenario. In this work, the authors show that a secure and practical implementation of ECIES can only be compatible with two of the four previously mentioned standards. They also provide the list of functions and options that must be used in such an implementation. Finally, they present the results obtained when testing this ECIES version implemented as a Java application, which allows them to offer some comments about the performance and feasibility of their proposed solution.
Full-text available
Conference Paper
We propose a formal model of web security based on an abstraction of the web platform and use this model to analyze the security of several sample web mechanisms and applications. We identify three distinct threat models that can be used to analyze web applications, ranging from a web attacker who controls malicious web sites and clients, to stronger attackers who can control the network and/or leverage sites designed to display user-supplied content. We propose two broadly applicable security goals and study five security mechanisms. In our case studies, which include HTML5 forms, Referer validation, and a single sign-on solution, we use a SAT-based model-checking tool to find two previously known vulnerabilities and three new vulnerabilities. Our case study of a Kerberos-based single sign-on system illustrates the differences between a secure network protocol using custom client software and a similar but vulnerable web protocol that uses cookies, redirects, and embedded links instead.
Full-text available
Conference Paper
This paper presents implementation results of a reconfig- urable elliptic curve processor defined over prime fields GF(p). We use this processor to compare a new algorithm for point addition and point doubling operations on the twisted Edwards curves, against a current standard algorithm in use, namely the Double-and-Add. Secure power analysis versions of both algorithms are also examined and compared. The algorithms are implemented on an FPGA, and the speed, area and power performance of each are then evaluated for various modes of circuit operation using parallel processing. To the authors' knowledge, this work introduces the first documented FPGA implementation for computations on twisted Edwards curves over fields GF(p).
Full-text available
Article
Despite technological advances, humans remain the weakest link in Internet security. In this study, we examined five password-management behaviours to answer questions about user knowledge of password quality, motivation behind password selection and the effect of account type on password-management behaviour. First, we found that users know what constitutes a good/bad password and know which common password-management practices are (in)appropriate. Second, users are motivated to engage in these bad password-management behaviours because they do not see any immediate negative consequences to themselves (negative externalities) and because of the convenience–security tradeoff. Applying Construal Level Theory, we found that this tradeoff can be positively influenced by imposing a time frame factor, i.e. whether the password change will take place immediately (which results in weaker passwords) or in the future (which results in stronger passwords). Third, we found a time frame effect only for more important (online banking) accounts.
Conference Paper
As the Internet of Thing (IoT) matures, a lot of concerns are being raised about security, privacy and interoperability. The Web of Things (WoT) model leverages web technologies to improve interoperability. Due to its distributed components, the web scaled well beyond initial expectations. Still, secure authentication and communication across organization boundaries rely on the Public Key Infrastructure (PKI) which is a non-transparent, centralized single point of failure. We can improve transparency and reduce the chain of trust---thus significantly improving the IoT security---by empowering blockchain technology and web security standards. In this paper, we build a scalable, decentralized IoT-centric PKI and discuss how we can combine it with the emerging web authentication and authorization framework for constrained environments.
Conference Paper
Organizations are extensively using Identity and Access Management (IAM) systems to manage and control the employees' identity and access privileges. An IAM system acts as a single trusted source of identity and access information. Securing and safeguarding of this sensitive information from malicious insiders and cyber assaults are essential for the successful operation of an organization. Accordingly, organizations require a well-defined authentication and authorization mechanism which ensure only the right persons at a right time with right privileges access the right applications. Though there are different Identity and Access Management models for authentication and authorization, those models have limitations in the implementation phase. Considering the hindrances and implementation pain points of the existing IAM models, this paper proposes a hybrid authentication and authorization model for secure and user-friendly web-based applications. The paper compares different access control models and their features with the proposed hybrid model.
Conference Paper
Cloud computing is one of the most cutting-edge advanced technologies around the world. According to the recent research, many CIOs who work for famous corporation mentioned that security issues have been the most critical obstacles in the adoption of cloud technology. As one of the prominent application of cloud computing, cloud storage has attracted more concerns; however, many security problems existing in cloud storage need to be resolved. This applied research paper briefly analyzes the development of cloud storage security, comprehensive discussion of several general solutions to those problems introducing several non-technical issues, such as third-party issues, trust mechanism in cloud computing. Finally, some possible improvement to those solutions is provided.
Article
This paper demonstrates that consumers make incorrect inferences about security/convenience tradeoff. We find the evidence that consumers tend to infer unobservable security quality from observable convenience and that their inferences are not always correct. In four studies, we examine user perceptions of wireless Internet service quality, with an aim to understand consumers' irrational choice of a dominated product over a dominant option. Our results indicate that consumers make inference in security from convenience using a zero-sum heuristic and that they believe in improving security in return for losing convenience. In a choice setting, we empirically show that security perception, as well as convenience, influences consumers' product choices, contradicting the common view of existing literature that convenience is the sole driver of consumer choice. Our findings show that spontaneous and extensive education of consumers about security makes a modest impact on their inference making.
Conference Paper
Cloud customers and providers need to guard against data loss and theft. Encryption of personal and enterprise data is strongly recommended, Strong encryption with key management is one of the core mechanisms that Cloud Computing systems should use to protect data. In cases where the cloud provider must perform key management, in this paper, cloud key management (CKMI) is proposed, its creation and subsequent adoption will reduce the complexity of encryption management. By enabling support for interoperability between cloud cryptographic clients and cloud key management servers, CKMI reduces infrastructure costs and the risks.
Conference Paper
This paper introduces "twisted Edwards curves," a general- ization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to cover even more curves via isogenies; presents fast explicit formulas for twisted Edwards curves in projective and inverted coordinates; and shows that twisted Edwards curves save time for many curves that were already expressible as Edwards curves.
Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA)
  • T Pornin
Edwards-curve digital signature algorithm
  • S Josefsson
  • I Liusvaara