一种防边权和语义攻击的位置隐私保护方法

边权攻击和位置语义攻击根据移动用户活动的周边环境推断用户的位置,泄露用户的位置隐私。针对该问题,提出一种防边权攻击的位置语义安全隐私保护方法。该方法将道路的敏感度和关联度结合,构建道路隐私度,描述道路在语义位置的敏感性,及道路与匿名集中其他道路上用户数量分布的均衡性;基于中心服务器结构,根据用户的位置隐私要求,采用宽度优先搜索方式,筛选道路隐私度最小的道路加入匿名集,以生成具备语义安全和防边权推断攻击的匿名集。仿真测试结果表明,该方法筛选的匿名集的匿名成功率达到87%,抗边权攻击和语义攻击的能力要高于对比算法。     

Efficient and secure two-factor dynamic ID-based password authentication scheme with provable security

Password-based remote user authentication schemes using smart cards are designed to ensure that only a user who possesses both the smart card and the corresponding password can gain access to the remote servers. Despite many research efforts, it remains a challenging task to design a secure password-based authentication scheme with user anonymity. The author uses Kumari et al.’s scheme as the case study. Their scheme uses non-public key primitives. The author first presents the cryptanalysis of Kumari et al.’s scheme in which he shows that their scheme is vulnerable to user impersonation attack, and does not provide forward secrecy and user anonymity. Using the case study, he has identified that public-key techniques are indispensable to construct a two-factor authentication scheme with security attributes, such as user anonymity, unlinkability and forward secrecy under the nontamper resistance assumption of the smart card. The author proposes a password-based authentication scheme using elliptic curve cryptography. Through the informal and formal security analysis, he shows that proposed scheme is secure against various known attacks, including the attacks found in Kumari’s scheme. Furthermore, he verifies the correctness of mutual authentication using the BAN logic.     

On compositional reasoning about anonymity and privacy in epistemic logic

In this paper, we exploit epistemic logic (or the modal logic of knowledge) for multiagent systems to discuss the compositionality of several privacy-related information-hiding/disclosure properties. The properties considered here are anonymity, privacy, onymity, and identity. Our initial observation reveals that anonymity/privacy properties are not necessarily sequentially compositional. This means that even though a system comprising several sequential phases satisfies a certain unlinkability property in each phase, the entire system does not always enjoy a desired unlinkability property. We show that the compositionality can be guaranteed provided that the phases of the system satisfy what we call independence assumptions. More specifically, we develop a series of theoretical case studies of what assumptions are sufficient to guarantee the sequential compositionality of various degrees of anonymity, privacy, onymity, and/or identity properties. Similar results for parallel composition are also discussed. Further, we use the probabilistic extension of epistemic logic to consider the compositionality of probabilistic anonymity/privacy. We show that the compositionality can also be guaranteed in the probabilistic setting, provided that the phases of the system satisfy a probabilistic independence assumption.     

KAMU: providing advanced user privacy in Kerberos multi-domain scenarios

In Next Generation Networks, Kerberos is becoming a key component to support authentication and key distribution for Internet application services. However, for this purpose, Kerberos needs to rectify certain deficiencies, especially in the area of privacy, which allow an eavesdropper to obtain information of the services users are accessing. This paper presents a comprehensive privacy framework that guarantees user anonymity, service access unlinkability and message exchange unlinkability in Kerberos both in single-domain and multi-domain scenarios. This proposal is based on different extensibility mechanisms already defined for Kerberos, which facilitate its adoption in already deployed systems. Apart from evaluating our proposal in terms of performance to prove its lightweight nature, we demonstrate its capability to work in perfect harmony with a widely used anonymous communication system like Tor.     

移动对等环境下基于网络编码的隐私保护方案

随着移动对等应用的快速发展,用户对自身隐私的需求变得越来越迫切.然而,由于在移动对等环境去中心化、拓扑变化性强的特点使得现有方案存在较多安全隐患.鉴于此,提出基于网络编码的节点隐私保护方案.主要工作包括：设计能够抵御万能敌手攻击的网络编码方案;将网络编码应用于移动对等资源共享,包括资源搜索、资源请求、应答及文件下载,实现了用户身份、用户位置及路由信息的隐私保护.方案的优势在于利用网络编码和多代理机制改善了网络的负载均衡、提高了信息传输成功率并增强了节点的隐私性.理论分析和仿真实验结果均表明,方案在网络中恶意节点比例低于50%的情况下,不仅可以保障信息的高效传输,同时可以隐藏用户的身份及其他隐私信息.     

Secure multimedia distribution in cloud computing using re-encryption and fingerprinting

Recently, cloud computing becomes a main platform for the distribution of multimedia content. The paradigm of multimedia distribution has been shifted from the models in traditional ways to the one in cloud computing. Security and privacy are two most important issues in multimedia distribution. The new model in cloud computing concerns the following issues. Firstly, outsourced content should be confidential except a data owner (DO). Secondly, the CSP is semi-trusted in the public cloud computing environment. A malicious data user (DU) may collude with the CSP to harm the DO’s rights and interests. Thirdly, the rights and interests of DU, including anonymity and unlinkability, should be protected. Based on the above problems, we propose and analyze a Multimedia Distribution based Re-encryption and Fingerprinting (MDRF) scheme in cloud computing. The proposed scheme 1) allows efficient distribution of the content while preserving security and privacy of copyright holders and end users, 2) resolve the problems of piracy tracing, collusion resistance, and dispute resolution, and 3) protect the rights and interests of DU, including anonymity and unlinkability. The analysis part demonstrates that the security of DO and DU are well provided in the proposed scheme. The experimental results evaluate the performance of our framework in terms of collusion resistance of the fingerprint and imperceptibility of fingerprint embedding.

     

On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks,principle and solutions

Anonymity is among the important properties of two-factor authentication schemes for wireless sensor networks (WSNs) to preserve user privacy. Though impressive efforts have been devoted to designing schemes with user anonymity by only using lightweight symmetric-key primitives such as hash functions and block ciphers, to the best of our knowledge none has succeeded so far. In this work, we take an initial step to shed light on the rationale underlying this prominent issue. Firstly, we scrutinize two previously-thought sound schemes, namely Fan et al.’s scheme and Xue et al.’s scheme, and demonstrate the major challenges in designing a scheme with user anonymity.Secondly, using these two foremost schemes as case studies and on the basis of the work of Halevi–Krawczyk (1999) [44] and Impagliazzo–Rudich (1989) [43], we put forward a general principle: Public-key techniques are intrinsically indispensable to construct a two-factor authentication scheme that can support user anonymity. Furthermore, we discuss the practical solutions to realize user anonymity. Remarkably, our principle can be applied to two-factor schemes for universal environments besides WSNs, such as the Internet, global mobility networks and mobile clouds. We believe that our work contributes to a better understanding of the inherent complexity in achieving user privacy, and will establish a groundwork for developing more secure and efficient privacy-preserving two-factor authentication schemes.     

A context-aware scheme for privacy-preserving location-based services

We address issues related to privacy protection in location-based services (LBSs). Most existing privacy-preserving LBS techniques either require a trusted third-party (anonymizer) or use cryptographic protocols that are computationally and communicationally expensive. Our design of privacy-preserving techniques is principled on not requiring a trusted third-party while being highly efficient in terms of time and space complexities. The problem has two interesting and challenging characteristics: First, the degree of privacy protection and LBS accuracy depends on the context, such as population and road density, around a user’s location. Second, an adversary may violate a user’s location privacy in two ways: (i) based on the user’s location information contained in the LBS query payload and (ii) by inferring a user’s geographical location based on the device’s IP address. To address these challenges, we introduce CAP, a context-aware privacy-preserving LBS system with integrated protection for both data privacy and communication anonymity. We have implemented CAP and integrated it with Google Maps, a popular LBS system. Theoretical analysis and experimental results validate CAP’s effectiveness on privacy protection, LBS accuracy, and communication QoS (Quality-of-Service).     

Privacy Preserving Biometric Authentication on the blockchain for smart healthcare

Privacy Preserving Biometric Authentication (PPBA) schemes are designed for anonymous authentication of patients to protect patient’s privacy in accessing healthcare services. Recently, blockchain technology in healthcare has emerged as a new research area to provide tamper-resistance and non-repudiation in e-health systems. One aspect of this research could lead to blockchain-based secure biometric identification for smart healthcare, which may face the paradox of anonymous biometric authentication on public blockchains. In this paper, we describe an efficient, fully anonymous and GDPR-compliant PPBA protocol built into the blockchain of any privacy coin such as Monero. The new protocol provides encrypted offline storage and processing in the encrypted domain. The infrastructure necessary for the online authentication is outsourced to the public blockchain that provides integrity of its data. In addition to auditing capabilities for misbehaving entities, the new system reduces the number of transactions necessary for authentication and enables revocation of biometric identities. We provide new PPBA schemes both for set difference/overlap and Euclidean distance metrics without using bilinear pairings, where the former leads to an efficient solution to the compatibility for organ transplant. We limit the generation of encrypted templates for public testing even if biometric/health data is of low min-entropy. Due to the anonymity of the cryptocurrency, we break the link between the stealth address of an authenticating user and its biometrics. We describe the user and identity privacy notions independent of the underlying privacy coin and guarantee the security of our proposal in the framework of those generic notions. Finally, we simulate the new proposal on Monero blockchain and analyze the transaction fees required for hill climbing attacks. The results show that our design leads to a natural hindrance against these attacks that could be successful even if the templates are stored as encrypted. To the best of our knowledge, this is the first efficient blockchain-based PPBA scheme that exhibits a punishment against hill climbing attacks through transaction fees.     

一种更具实用性的移动RFID认证协议

针对Doss协议的不足,提出了一种改进的轻量级移动RFID认证协议。首先使用二次剩余混合随机数加密的方法提高后台服务器识别速度;在阅读器端添加时间戳生成器,抵御阅读器冒充及重放攻击。新协议标签端只采用成本较低的伪随机数生成、模平方以及异或运算,遵循了EPC C1G2标准,且实现了移动RFID环境下的安全认证。理论分析及实验显示了新协议提高了Doss协议后台识别速度,并满足标签和阅读器的匿名性、阅读器隐私、标签前向隐私等安全需求,更有效抵抗已有的各种攻击：重放、冒充、去同步化攻击等。与同类RFID认证协议相比,实用性更佳。     

A classification of location privacy attacks and approaches

In recent years, location-based services have become very popular, mainly driven by the availability of modern mobile devices with integrated position sensors. Prominent examples are points of interest finders or geo-social networks such as Facebook Places, Qype, and Loopt. However, providing such services with private user positions may raise serious privacy concerns if these positions are not protected adequately. Therefore, location privacy concepts become mandatory to ensure the user’s acceptance of location-based services. Many different concepts and approaches for the protection of location privacy have been described in the literature. These approaches differ with respect to the protected information and their effectiveness against different attacks. The goal of this paper is to assess the applicability and effectiveness of location privacy approaches systematically. We first identify different protection goals, namely personal information (user identity), spatial information (user position), and temporal information (identity/position + time). Secondly, we give an overview of basic principles and existing approaches to protect these privacy goals. In a third step, we classify possible attacks. Finally, we analyze existing approaches with respect to their protection goals and their ability to resist the introduced attacks.     

An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks

User authentication with unlinkability is one of the corner stone services for many security and privacy services which are required to secure communications in wireless sensor networks (WSNs). Recently, Xue et al. proposed a temporal-credential-based mutual authentication and key agreement scheme for WSNs, and claimed that their scheme achieves identity and password protection, and the resiliency of stolen smart card attacks. However, we observe that Xue et al.’s scheme is subject to identity guessing attack, tracking attack, privileged insider attack and weak stolen smart card attack. In order to fix the drawbacks, we propose an enhanced authentication scheme with unlinkability. Additionally, the proposed scheme further cuts the computational cost. Therefore, the proposed scheme not only remedies its security flaws but also improves its performance. It is more suitable for practical applications of WSNs than Xue et al.’s scheme.     

A lightweight authentication and key agreement protocol preserving user anonymity

Nowadays with widespread employment of the Internet, servers provide various services for legal users. The vital issue in client/server connections is authentication protocols that make the communication channel safe and secure against famous attacks. Recently, Kumari et al. and Chaudhry et al. proposed two authentication and key agreement protocols and illustrated that their proposed protocols are secure against various security attacks. However, in this paper we demonstrate that both protocols are vulnerable to off-line password guessing attacks. Moreover, we show that Kumari et al.’s protocol does not provide the property of user anonymity. In order to overcome these weaknesses, we propose a lightweight authentication and key agreement protocol. The correctness of the proposed protocol is proved using BAN logic. Security analysis demonstrates that the proposed protocol resists various security attacks and provides user anonymity. Furthermore, performance analysis confirms that the computation cost of the proposed protocol is acceptable.

     

Anonymizing continuous queries with delay-tolerant mix-zones over road networks

This paper presents a delay-tolerant mix-zone framework for protecting the location privacy of mobile users against continuous query correlation attacks. First, we describe and analyze the continuous query correlation attacks (CQ-attacks) that perform query correlation based inference to break the anonymity of road network-aware mix-zones. We formally study the privacy strengths of the mix-zone anonymization under the CQ-attack model and argue that spatial cloaking or temporal cloaking over road network mix-zones is ineffective and susceptible to attacks that carry out inference by combining query correlation with timing correlation (CQ-timing attack) and transition correlation (CQ-transition attack) information. Next, we introduce three types of delay-tolerant road network mix-zones (i.e., temporal, spatial and spatio-temporal) that are free from CQ-timing and CQ-transition attacks and in contrast to conventional mix-zones, perform a combination of both location mixing and identity mixing of spatially and temporally perturbed user locations to achieve stronger anonymity under the CQ-attack model. We show that by combining temporal and spatial delay-tolerant mix-zones, we can obtain the strongest anonymity for continuous queries while making acceptable tradeoff between anonymous query processing cost and temporal delay incurred in anonymous query processing. We evaluate the proposed techniques through extensive experiments conducted on realistic traces produced by GTMobiSim on different scales of geographic maps. Our experiments show that the proposed techniques offer high level of anonymity and attack resilience to continuous queries.     

A technique to circumvent SSL/TLS validations on iOS devices

SSL/TLS validations such as certificate and public key pinning can reinforce the security of encrypted communications between Internet-of-Things devices and remote servers, and ensure the privacy of users. However, such implementations complicate forensic analysis and detection of information disclosure; say, when a mobile app breaches user’s privacy by sending sensitive information to third parties. Therefore, it is crucial to develop the capacity to vet mobile apps augmenting the security of SSL/TLS traffic. In this paper, we propose a technique to bypass the system’s default certificate validation as well as built-in SSL/TLS validations performed in iOS apps. We then demonstrate its utility by analysing 40 popular iOS social networking, electronic payment, banking, and cloud computing apps.     

Secrets from the GPU

In the current controversial context caused by the disclosure of classified details of several top-secret United States and British government mass surveillance programs to the press by former NSA contractor Edward Snowden, issues of data privacy, anonymity, unlinkability, forward secrecy and deniability have raised to public prominence. In this work we investigate how an alternate usage of state-of-the-art yet ubiquitous computing platforms might help sovereign, citizen and general public recovery of control over privacy. These goals are notoriously difficult to achieve on the Internet today due to the insufficient public-key infrastructure at the user level. Our approach leverages modern multi-core processors and general-purpose computing on graphics processing units, both as a source of true random entropy pools and computational engines for very fast elliptic curve cryptography (ECC). Such autonomous, high-frequency Diffie–Hellman-ready agents reside in a breadth of devices ranging from smartphones and tablets, to laptops and high-end servers in datacenters. In contrast to the current circumstance, this suggested infrastructure enables generalized symmetric exchanges with the Vernam cipher without compromising ease-of-use nor requiring revolutionary changes in today’s well-grounded ECC theory.     

A k-anonymity privacy-preserving approach in wireless medical monitoring environments

With the proliferation of wireless sensor networks and mobile technologies in general, it is possible to provide improved medical services and also to reduce costs as well as to manage the shortage of specialized personnel. Monitoring a person’s health condition using sensors provides a lot of benefits but also exposes personal sensitive information to a number of privacy threats. By recording user-related data, it is often feasible for a malicious or negligent data provider to expose these data to an unauthorized user. One solution is to protect the patient’s privacy by making difficult a linkage between specific measurements with a patient’s identity. In this paper we present a privacy-preserving architecture which builds upon the concept of k-anonymity; we present a clustering-based anonymity scheme for effective network management and data aggregation, which also protects user’s privacy by making an entity indistinguishable from other k similar entities. The presented algorithm is resource aware, as it minimizes energy consumption with respect to other more costly, cryptography-based approaches. The system is evaluated from an energy-consuming and network performance perspective, under different simulation scenarios.     

一种有效的匿名分析算法

匿名是保护用户隐私的主要方法。当前的研究主要集中在设计具体匿名方案,较少涉及如何评估匿名机制的匿名性。本文根据匿名与不可关联性具有紧密的关系,设计了一套完备的匿名性推理系统,在此基础上给出了匿名分析算法。该算法能够发现隐藏的匿名漏洞,有效地评估现有匿名机制的安全性,并为设计一个新的匿名保护方案提供支持。     

Privacy addressing and autoconfiguration for mobile ad hoc networks

Allowing truly spontaneous and infrastructureless networking, mobile ad hoc networks (MANETs) are the future of wireless networks. However, most autoconfiguration proposals for MANETs lack privacy support, namely anonymity or pseudonymity and unlinkability aspects, which has become important considerations in many practical applications. This paper presents a novel privacy extension approach (PEA) for MANETs, which prevents eavesdroppers from identifying a particular mobile node by its address. In addition to privacy concerns, our scheme also brings some performance benefits, e.g., reducing the possibility of address conflict when the merging of separately configured networks occurs.     

AAnA: Anonymous authentication and authorization based on short traceable signatures

Due to the privacy concerns prevailing in today’s computing environments, users are more likely to require anonymity or at least pseudonyms; on the other hand, they must be traceable or revokable in case of abuse. Meanwhile, an authorization mechanism that controls access rights of users to services or resources is frequently needed in various real-world applications but does not favor anonymity. To cope with these problems, we explore an anonymous authentication and authorization method that very efficiently supports fine-grained authorization services without losing strong but traceable anonymity. The efficiency of our method comes from atomizing authorization within a group and issuing multiple authorization values for a group membership. The cryptographic basis of our method is the famous short traceable signature scheme. Our method allows a user to selectively disclose authorization according to need and also provides revocation and update of authorization without revoking membership or anonymity. To prevent users from forging authorization, our method enables the users to prove their authorizations while hiding the corresponding authorization values from other users. We formally analyze security and compare the related methods in terms of efficiency and functionality. We show that our method is secure against misidentification, anonymity-break and framing attacks and is efficient within a reasonable bound while still providing various functionalities such as fine-grained authorization and authorization revocation, commonly required in many practical applications.