Design, Architecture and Performance Evaluation of the Wireless Transport Layer Security

Communication protocols for wireless networks have specified security layers, with high-level encryption strength. The dedicated to security layer of Wireless Application Protocol (WAP), is the Wireless Transport Layer Security (WTLS). In this paper, an efficient architecture for the hardware implementation of WTLS is proposed. The introduced system supports bulk encryption, authentication and data integrity. The proposed architecture operates alternatively for a set of ciphers, IDEA, DES, RSA, D.H., SHA-1 and MD5. It is based on two reconfigurable design units: the Reconfigurable Authentication Unit and the Reconfigurable Integrity Unit. These units operate alternatively for different ciphers and achieve to allocate minimized resources, at the same time. The introduced security system has been implemented in an FPGA device. The supported ciphers performance is compared with previously published works, and it has been proven superior to them, in most of the cases. The system’s synthesis results prove that the proposed architecture is a flexible and powerful solution for WTLS integration of today’s and future wireless networks. The system can be applied to wireless communications servers and mobile devices also. Finally, the proposed architecture can be used as a powerful security engine, in WAP communication networks, with special security demands.     

Control of Program Maintenance

Abstract

The increase in the number of systems connected to networks and distributed systems connected via networks seen in recent years will continue. With networks, an additional level of complexity for security services is introduced. Before examining how security is applied to networks, a basic understanding of network organization is required.     

An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards

Generally, if a user wants to use numerous different network services, he/she must register himself/herself to every service providing server. It is extremely hard for users to remember these different identities and passwords. In order to resolve this problem, various multi-server authentication protocols have been proposed. Recently, Sood et al. analyzed Hsiang and Shih's multi-server authentication protocol and proposed an improved dynamic identity based authentication protocol for multi-server architecture. They claimed that their protocol provides user's anonymity, mutual authentication, the session key agreement and can resist several kinds of attacks. However, through careful analysis, we find that Sood et al.'s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack. Besides, since there is no way for the control server CS to know the real identity of the user, the authentication and session key agreement phase of Sood et al.'s protocol is incorrect. We propose an efficient and security dynamic identity based authentication protocol for multi-server architecture that removes the aforementioned weaknesses. The proposed protocol is extremely suitable for use in distributed multi-server architecture since it provides user's anonymity, mutual authentication, efficient, and security.     

Secure transfer of measurement data in open systems

The liberalization of different markets which are liable to legal metrology accelerates the need for transferring measuring data over open networks. This increases the involvement of communication technology in measuring systems and raises new security threats in legal metrology. The goal of the SELMA (Secure ELectronic Measurement dAta exchange) project is to create technical procedures according to legal requirements which ensure the secure transfer of measured energy data from decentralized meters to the authorized users via open networks.This paper gives an overall view of the research project SELMA and the developed concepts and technologies. The security architecture is presented and the standards and interfaces are described which were specified and afterwards used to implement and deploy a large-scale field trial. SELMA has developed a security architecture to establish trust in the electronic transfer of data from the meter to data acquisition systems and further to the customers. The introduced security mechanisms are based on asymmetric cryptography and more specifically on digital signatures that enable the signed measurement data to be verified and authenticated in conjunction with a suitable key management. Particular security units have been created that contain the necessary security mechanisms.The SELMA architecture represents a best practice solution of strong cryptographic mechanisms to secure a wide range of metrology applications and is compatible with appropriate European directives and guidelines.     

嵌入式系统安全体系结构研究

对嵌入式系统的安全需求、安全挑战、面临的攻击进行了研究,分析了几种典型的嵌入式安全体系结构,在此基础上提出了一个带有网络功能的嵌入式系统安全体系结构的三维框架.该框架将安全从概念设计阶段就作为嵌入式系统设计的一个要素,将安全集成到嵌入式系统的每一个抽象层,在嵌入式系统设计的整个阶段加以考虑,按该框架设计的嵌入式系统能够减少安全漏洞,在面积、能量、计算能力受限的情况下最大化嵌入式系统安全.     

Open Mobile Alliance (OMA) security layer: Architecture, implementation and performance evaluation of the integrity unit

Security has become a very critical issue in the provision of mobile services. The Open Mobile Alliance (OMA) has specified a powerful security layer, the WTLS. In this paper, a VLSI architecture for the implementation of the WTLS integrity unit is proposed. The proposed architecture is reconfigurable in the sense that operates in three different modes: as Keyed-Hash Authentication Code (HMAC), as SHA-1 and MD5 hash functions, according to WTLS specifications. This multi-mode operation is achieved due to the reconfigurable applied design technique in the proposed architecture, which keeps the allocated area resources at a minimized level. The proposed architecture achieves high speed performance, due to the pipeline designed architecture. Especially, SHA-1 operation achieved throughput is equal to 1,7 Gbps, while MD5 operation mode bit rate is equal to 2,1 Gbps. The proposed architecture has been integrated by using VHDL and has been synthesized placed and routed in an FPGA device. Comparisons with related hash functions implementations have been done in terms of throughput, operating frequency, allocated area and Area-Delay product. The achieved performance of the SHA-1 operation mode is better at about 14–42 times compared with the other conventional works. In addition, MD5 performance is superior to the other works at about 6–18 times, in all of the cases. The proposed Integrity Unit is a very trustful and powerful solution for the WTLS layer. In addition, it can be integrated in security systems which are used for the implementation networks for wireless protocols, with special needs of integrity in data transmission. Nicolas Sklavos, Ph.D.: He is a Ph.D. Researcher with the Electrical and Computer Engineering Department, University of Patras, Greece. His interests include computer security, new encryption algorithms design, wireless communications and reconfigurable computing. He received an award for his Ph.D. thesis on “VLSI Designs of Wireless Communications Security Systems” from IFIP VLSI SOC 2003. He is a referee of International Journals and Conferences. He is a member of the IEEE, the Technical Chamber of Greece and the Greek Electrical Engineering Society. He has authored or co-authored up to 50 scientific articles in the areas of his research. Paris Kitsos, Ph.D.: He is currently pursuing his Ph.D. in the Department of Electrical and computer Engineering, University of Patras, Greece. He received the B.S. in Physics from the University of Patras in 1999. His research interests include VLSI design, hardware implementations of cryptography algorithms, security protocols for wireless communication systems and Galois field arithmetic implementations. He has published many technical papers in the areas of his research. Epaminondas Alexopoulos: He is a student of the Department of Electrical and Computer Engineering, University of Patras, Greece. His research includes hardware implementations, mobile computing and security. He has published papers in the areas of his research. Odysseas Koufopavlou, Ph.D.: He received the Diploma of Electrical Engineering in 1983 and the Ph.D. degree in Electrical Engineering in 1990, both from University of Patras, Greece. From 1990 to 1994 he was at the IBM Thomas J. Watson Research Center, Yorktown Heights, NY, USA. He is currently an Associate Professor at the Department of Electrical and Computer Engineering, University of Patras. His research interests include VLSI, low power design, VLSI crypto systems and high performance communication subsystems architecture and implementation. He has published more than 100 technical papers and received patents and inventions in these areas.     

Performance Measurement in EDP

Abstract

As cyber-criminals get smarter and smarter, staying one step ahead of emerging security threats is getting harder and harder. Seemingly every day, news reports are filled with hair-raising stories about computer networks and corporations being terrorized by worms, viruses, hackers, and identity thieves. More than ever, companies need to pay strict attention to network security, not only to defend against attacks and protect customer data, but also to satisfy a growing list of government regulations such as the Sarbanes–Oxley (SOX) Act, the Health Insurance Portability and Accountability Act (HIPAA), California's privacy breach notification law SB1386, and the Federal Information Security Management Act (FISMA).     

Timestamp-Based Digital Envelope for Secure Communication Using HECC

ABSTRACT

Secure communication in wireless network is necessary to access remote resources in a controlled and efficient way. For validation and authentication in e-banking and e-commerce transactions, digital signatures using public key cryptography is extensively employed. To maintain confidentiality, Digital Envelope, which is the combination of the encrypted message and signature with the encrypted symmetric key, is also used. In this paper we propose a timestamp-based authentication scheme with a modified Digital Envelope using hyperelliptic curve cryptosystem. HECC have advantages over the existing public key cryptosystems for its small key size and high security in wireless networks where resources are constrained. We have compared the performance of the proposed scheme with that of ECC and present a security analysis to show that our scheme can resist various attacks related to wireless networks.     

MASHED: Security and privacy-aware mutual authentication scheme for heterogeneous and distributed mobile cloud computing services

ABSTRACT

Rapid development in mobile devices and cloud computing technologies has increased the number of mobile services from different vendors on the cloud platform. However, users of these services are facing different security and access control challenges due to the nonexistence of security solutions capable of providing secure access to these services, which are from different vendors, using a single key. An effective security solution for heterogeneous Mobile Cloud Computing (MCC) services should be able to guarantee confidentiality and integrity through single key-based authentication scheme. Meanwhile, a few of the existing authentication schemes for MCC services require different keys to access different services from different vendors on a cloud platform, thus increases complexity and overhead incurred through generation and storage of different keys for different services.

In this paper, an efficient mutual authentication scheme for accessing heterogeneous MCC services is proposed. The proposed scheme combines the user’s voice signature with cryptography operations to evolve efficient mutual authentication scheme devoid of key escrow problem and allows authorized users to use single key to access the heterogeneous MCC services at a reduced cost.     

Defining a Technical Architecture for Health Care Security

Abstract

In the previous article, “Preparing for Health Care Legislation,” we established the need for Health Care security concerns and emphasized an enterprise approach to properly, effectively, establishing security for Electronic Medical Records (EMRs). In this article we present a technical architecture addressing Health Insurance Portability and Accountability Act (HIPAA) of 1996.     

A Novel Computer Architecture to Prevent Destruction by Viruses

In today‘s Internet computing world,illegal activities by crackers pose a serious threat to computer security.It is well known that computer viruses,Trojan horses and other intrusive programs may cause sever and often catastrophic consequences. This paper proposes a novel secure computer architecture based on security-code.Every instruction/data word is added with a security-code denoting its security level.External programs and data are automatically addoed with security-code by hadware when entering a computer system.Instruction with lower security-code cannot run or process instruction/data with higher security level.Security-code cannot be modified by normal instruction.With minor hardware overhead,then new architecture can effectively protect the main computer system from destruction or theft by intrusive programs such as computer viruses.For most PC systems it includes an increase of word-length by 1 bit on register,the memory and the hard disk.     

Secure three-party key distribution protocol for fast network access in EAP-based wireless networks

In this paper, we present a solution that reduces the time spent on providing network access in multi-domain mobile networks where the authentication process is based on the Extensible Authentication Protocol (EAP). The goal is to achieve fast and smooth handoffs by reducing the latency added by the authentication process. This process is typically required when a mobile user moves from one authenticator to another regardless of whether the new authenticator is in the same domain (intra-domain) or different domain (inter-domain). To achieve an efficient solution to this problem, it has been generally recognized that a fast and secure key distribution process is required. We propose a new fast re-authentication architecture that employs a secure three-party key distribution protocol which reduces the number of message exchanges during the network access control process. Our approach is proved to preserve security and verified by means of a formal tool. The resulting performance benefits are shown through our extensive simulations.     

Best Practices for Building a Security Operations Center

Abstract

If one cannot effectively manage the growing volume of security events flooding the enterprise, one cannot secure one's business. Yet IT security teams are now being overwhelmed by literally millions of security-related messages every day. This daily deluge of security data is being generated by the numerous “point” security solutions deployed across the enterprise: firewalls, intrusion prevention and detection, access control, identity management, anti-virus, etc. These solutions all generate information in different formats, store it in different places, and forward to different locations. And it is more than anyone can handle.     

2014 Top Security Topics

Abstract

Recent data breaches at major retailers have created an extra awareness of information security risks within the IT internal auditors. This article focuses on top security topics which every internal auditor must consider before they finalize their audit plans     

An efficient key distribution system for data fusion in V2X heterogeneous networks

Data fusion in Vehicle-to-Everything (V2X) networks for different data types coming from different sources is the foundation for decision making in the smart vehicle driving systems. Different communication technologies have been combined to form a heterogeneous V2X network to support the data exchange. However, data fusion trust models are still designed for single use cases which cannot meet the general needs of Cooperative Intelligent Transport Systems (C-ITS). In this paper, we first define a data fusion trust architecture with different trust levels. Then, we propose an efficient and practical data fusion trust system for the multi-source and multi-formats of data exchange in the V2X heterogeneous networks. In particular, a location-based PKI system with acceleration brought by General Purpose Graphic Processing Unit (GPGPU) is presented for efficient key distribution with a high level of trust achieved. A performance evaluation is given to verify our data fusion trust system can meet the strict latency requirements in V2X networks.     

Cryptanalysis and improvement of authentication scheme for roaming service in ubiquitous network

Abstract

The paper analyzes a recently proposed secure authentication and key agreement scheme for roaming service in a ubiquitous network. In 2018, Lee et al. proposed a biometric-based anonymous authentication scheme for roaming in ubiquitous networks. But, we found that Lee et al. scheme is prone to the off-line dictionary attack when a user’s smart device is stolen, replay attack due to static variables and de-synchronization attack when an adversary blocks a message causing failure of authentication mechanism. Further, the scheme lacks no key control property and has incorrect XOR calculation. In the sequel, we presented an improved biometric based scheme to remove the weaknesses in Lee et al.’s scheme, which also does not require an update of identity in every session, hence preventing de-synchronization attack. Also, the security of the proposed schemes were analyzed in a widely accepted random oracle model. Further, computational and communication cost comparisons indicate that our improved scheme is more suitable for ubiquitous networks.     

An energy efficient security protocol for IEEE 802.11 WLANs

Security protocols in wired and wireless networks make use of computationally intensive cryptographic primitives and several message exchanges for authenticated key exchange at the session level and data confidentiality and integrity at the packet level. Moreover, changes in connectivity require mobile stations to repeatedly authenticate themselves, thereby expending more energy. In this paper, we propose an energy efficient security protocol for wireless local area networks (WLANs) that employs (a) different cryptographic primitives based on their suitability in terms of energy consumption and security level, (b) different levels of security and types of security services depending on the type of packet in 802.11 WLANs, and (c) a light-weight hashed key chain to reduce the number of expensive authentication transactions due to connectivity losses. We use packet traces from three different networks to compare the performance of the energy efficient security protocol with that of the standard 802.11 WLAN security protocol and show significant reduction in energy consumption.     

Compact Keccak Hardware Architecture for Data Integrity and Authentication on FPGAs

ABSTRACT

Cryptographic hash functions play a crucial role in networking and communication security, including their use for data integrity and message authentication. Keccak hash algorithm is one of the finalists in the next generation SHA-3 hash algorithm competition. It is based on the sponge construction whose hardware performance is worth investigation. We developed an efficient hardware architecture for the Keccak hash algorithm on Field-Programmable Gate Array (FPGA). Due to the serialization exploited in the proposed architecture, the area needed for its implementation is reduced significantly accompanied by higher efficiency rate. In addition, low latency is attained so that higher operating frequencies can be accessed. We use the coprocessor approach which exploits the use of RAM blocks that exist in most FPGA platforms. For this coprocessor, a new datapath structure allowing parallel execution of multiple instructions is designed. Implementation results prove that our Keccak coprocessor achieves high performance in a small area.