Multi-Factor Password-Authenticated Key Exchange via Pythia PRF Service

Multi-factor authentication (MFA) was proposed by Pointcheval et al. [Pointcheval and Zimmer (2008)] to improve the security of single-factor (and two-factor) authentication. As the backbone of multi-factor authentication, biometric data are widely observed. Especially, how to keep the privacy of biometric at the password database without impairing efficiency is still an open question. Using the vulnerability of encryption (or hash) algorithms, the attacker can still launch offline brute-force attacks on encrypted (or hashed) biometric data. To address the potential risk of biometric disclosure at the password database, in this paper, we propose a novel efficient and secure MFA key exchange (later denoted as MFAKE) protocol leveraging the Pythia PRF service and password-to-random (or PTR) protocol. Armed with the PTR protocol, a master password pwd can be translated by the user into independent pseudorandom passwords (or rwd) for each user account with the help of device (e.g., smart phone). Meanwhile, using the Pythia PRF service, the password database can avoid leakage of the local user’s password and biometric data. This is the first paper to achieve the password and biometric harden service simultaneously using the PTR protocol and Pythia PRF.     

Understanding Research Trends in Android Malware Research Using Information Modelling Techniques

Android has been dominating the smartphone market for more than a decade and has managed to capture 87.8% of the market share. Such popularity of Android has drawn the attention of cybercriminals and malware developers. The malicious applications can steal sensitive information like contacts, read personal messages, record calls, send messages to premium-rate numbers, cause financial loss, gain access to the gallery and can access the user’s geographic location. Numerous surveys on Android security have primarily focused on types of malware attack, their propagation, and techniques to mitigate them. To the best of our knowledge, Android malware literature has never been explored using information modelling techniques. Further, promulgation of contemporary research trends in Android malware research has never been done from semantic point of view. This paper intends to identify intellectual core from Android malware literature using Latent Semantic Analysis (LSA). An extensive corpus of 843 articles on Android malware and security, published during 2009–2019, were processed using LSA. Subsequently, the truncated singular Value Decomposition (SVD) technique was used for dimensionality reduction. Later, machine learning methods were deployed to effectively segregate prominent topic solutions with minimal bias. Apropos to observed term and document loading matrix values, this five core research areas and twenty research trends were identified. Further, potential future research directions have been detailed to offer a quick reference for information scientists. The study concludes to the fact that Android security is crucial for pervasive Android devices. Static analysis is the most widely investigated core area within Android security research and is expected to remain in trend in near future. Research trends indicate the need for a faster yet effective model to detect Android applications causing obfuscation, financial attacks and stealing user information.     

Hybrid Computational Modeling for Web Application Security Assessment

Transformation from conventional business management systems to smart digital systems is a recurrent trend in the current era. This has led to digital revolution, and in this context, the hardwired technologies in the software industry play a significant role However, from the beginning, software security remains a serious issue for all levels of stakeholders. Software vulnerabilities lead to intrusions that cause data breaches and result in disclosure of sensitive data, compromising the organizations’ reputation that translates into, financial losses as well. Most of the data breaches are financially motivated, especially in the healthcare sector. The cyber invaders continuously penetrate the E-Health data because of the high cost of the data on the dark web. Therefore, security assessment of healthcare web-based applications demands immediate intervention mechanisms to weed out the threats of cyber-attacks. The aim of this work is to provide efficient and effective healthcare web application security assessment. The study has worked with the hybrid computational model of Multi-Criteria Decision Making (MCDM) based on Analytical Hierarchy Process (AHP) and Technique for Order of Preference by Similarity to Ideal-Solutions (TOPSIS) under the Hesitant Fuzzy (HF) environment. Hesitant fuzzy sets provide effective solutions to address decision making problems where experts counter hesitation to make a decision. The proposed research endeavor will support designers and developers in identifying, selecting and prioritizing the best security attributes for web applications’ development. The empirical analysis concludes that Robustness got highest priority amongst the assessed security attributes set followed by Encryption, Authentication, Limit Access, Revoke Access, Data Validation, and Maintain Audit Trail. The results of this research endeavor depict that this proposed computational procedure would be the most conversant mechanism for determining the web application security. The study also establishes guidelines which the developers can refer for the identification and prioritization of security attributes to build more secure and trustworthy web-based applications.     

Provably Secure APK Redevelopment Authorization Scheme in the Standard Model

The secure issues of APK are very important in Android applications. In order to solve potential secure problems and copyrights issues in redevelopment of APK files, in this paper we propose a new APK redevelopment mechanism (APK-SAN). By exploring sanitizable signature technology, APK-SAN allows the original developer to authorize specified modifier who can redevelop the designated source code of APK files. Our scheme does not require interactions between the developer and modifiers. It can reduce the communication overhead and computational overhead for developers. Especially, the signature of redeveloped APK files is valid and maintains the copyrights. The proposed APK-SAN signature can effectively protect the security of the redeveloped APK files and copyrights of the developer and modifier.     

Fuzzy simultaneous measurement of two polarization vector components

The advent of quantum computers threatens the security of conventional encryption schemes (e.g., those based upon the excessive amount of computational time that might be required to guess your password). Quantum encryption is intended to restore the security by basing it instead upon the impossibility of the simultaneous measurement of two noncommuting operators. I derive a measurement associated with the angular momentum lowering operator, which describes a simultaneous (yet realizable) measurement of two noncommuting spin-vector components. Correlations between two such detectors are also discussed and compared with the conventional Stern-Gerlach results.     

Exploitability prediction of software vulnerabilities

The number of security failure discovered and disclosed publicly are increasing at a pace like never before. Wherein, a small fraction of vulnerabilities encountered in the operational phase are exploited in the wild. It is difficult to find vulnerabilities during the early stages of software development cycle, as security aspects are often not known adequately. To counter these security implications, firms usually provide patches such that these security flaws are not exploited. It is a daunting task for a security manager to prioritize patches for vulnerabilities that are likely to be exploitable. This paper fills this gap by applying different machine learning techniques to classify the vulnerabilities based on previous exploit-history. Our work indicates that various vulnerability characteristics such as severity, type of vulnerabilities, different software configurations, and vulnerability scoring parameters are important features to be considered in judging an exploit. Using such methods, it is possible to predict exploit-prone vulnerabilities with an accuracy >85%. Finally, with this experiment, we conclude that supervised machine learning approach can be a useful technique in predicting exploit-prone vulnerabilities.     

SMINER: Detecting Unrestricted and Misimplemented Behaviors of Software Systems Based on Unit Test Cases

Despite the advances in automated vulnerability detection approaches, security vulnerabilities caused by design flaws in software systems are continuously appearing in real-world systems. Such security design flaws can bring unrestricted and misimplemented behaviors of a system and can lead to fatal vulnerabilities such as remote code execution or sensitive data leakage. Therefore, it is an essential task to discover unrestricted and misimplemented behaviors of a system. However, it is a daunting task for security experts to discover such vulnerabilities in advance because it is time-consuming and error-prone to analyze the whole code in detail. Also, most of the existing vulnerability detection approaches still focus on detecting memory corruption bugs because these bugs are the dominant root cause of software vulnerabilities. This paper proposes SMINER, a novel approach that discovers vulnerabilities caused by unrestricted and misimplemented behaviors. SMINER first collects unit test cases for the target system from the official repository. Next, preprocess the collected code fragments. SMINER uses pre-processed data to show the security policies that can occur on the target system and creates a test case for security policy testing. To demonstrate the effectiveness of SMINER, this paper evaluates SMINER against Robot Operating System (ROS), a real-world system used for intelligent robots in Amazon and controlling satellites in National Aeronautics and Space Administration (NASA). From the evaluation, we discovered two real-world vulnerabilities in ROS.     

An integrated framework for software vulnerability detection,analysis and mitigation: an autonomic system

Nowadays, the number of software vulnerabilities incidents and the loss due to occurrence of software vulnerabilities are growing exponentially. The current existing security strategies, the vulnerability detection and remediating approaches are not intelligent, automated, self-managed and not competent to combat against the vulnerabilities and security threats, and to provide secured self-managed software environment to the organizations. Hence, there is a strong need to devise an intelligent and automated approach to optimize security and prevent the occurrence of vulnerabilities or mitigate the vulnerabilities. The autonomic computing is a nature-inspired and self-management-based computational model. In this paper, an autonomic-computing-based integrated framework is proposed to detect, fire the trigger of alarm, assess, classify, prioritize, mitigate and manage the software vulnerability automatically. The proposed framework uses a knowledge base and inference engine, which automatically takes the remediating actions on future occurrence of software security vulnerabilities through self-configuration, self-healing, self-prevention and self-optimization as per the needs. The proposed framework is beneficial to industry and society in various aspects because it is an integrated, cross-concern and intelligent framework and provides more secured self-managed environment to the organizations. The proposed framework reduces the security risks and threats, and also monetary and reputational loss. It can be embedded easily in existing software and incorporated or implemented as an inbuilt integral component of the new software during software development.     

Optical image encryption using password key based on phase retrieval algorithm

A novel optical image encryption system is proposed using password key based on phase retrieval algorithm (PRA). In the encryption process, a shared image is taken as a symmetric key and the plaintext is encoded into the phase-only mask based on the iterative PRA. The linear relationship between the plaintext and ciphertext is broken using the password key, which can resist the known plaintext attack. The symmetric key and the retrieved phase are imported into the input plane and Fourier plane of 4f system during the decryption, respectively, so as to obtain the plaintext on the CCD. Finally, we analyse the key space of the password key, and the results show that the proposed scheme can resist a brute force attack due to the flexibility of the password key.     

Verifiable Diversity Ranking Search Over Encrypted Outsourced Data

Data outsourcing has become an important application of cloud computing. Driven by the growing security demands of data outsourcing applications, sensitive data have to be encrypted before outsourcing. Therefore, how to properly encrypt data in a way that the encrypted and remotely stored data can still be queried has become a challenging issue. Searchable encryption scheme is proposed to allow users to search over encrypted data. However, most searchable encryption schemes do not consider search result diversification, resulting in information redundancy. In this paper, a verifiable diversity ranking search scheme over encrypted outsourced data is proposed while preserving privacy in cloud computing, which also supports search results verification. The goal is that the ranked documents concerning diversification instead of reading relevant documents that only deliver redundant information. Extensive experiments on real-world dataset validate our analysis and show that our proposed solution is effective for the diversification of documents and verification.     

Web Service中的XML数据交换的安全机制方法研究

通过对WebService中可能实现的安全防范措施进行研究,分析比较了现有解决方案的优劣.最后,提供了一种实现基于XML数据安全交换的方法,据此加密方法可以解决一些常见的安全漏洞.     

High Security for De-Duplicated Big Data Using Optimal SIMON Cipher

Cloud computing offers internet location-based affordable, scalable, and independent services. Cloud computing is a promising and a cost-effective approach that supports big data analytics and advanced applications in the event of forced business continuity events, for instance, pandemic situations. To handle massive information, clusters of servers are required to assist the equipment which enables streamlining the widespread quantity of data, with elevated velocity and modified configurations. Data deduplication model enables cloud users to efficiently manage their cloud storage space by getting rid of redundant data stored in the server. Data deduplication also saves network bandwidth. In this paper, a new cloud-based big data security technique utilizing dual encryption is proposed. The clustering model is utilized to analyze the Deduplication process hash function. Multi kernel Fuzzy C means (MKFCM) was used which helps cluster the data stored in cloud, on the basis of confidence data encryption procedure. The confidence finest data is implemented in homomorphic encryption data wherein the Optimal SIMON Cipher (OSC) technique is used. This security process involving dual encryption with the optimization model develops the productivity mechanism. In this paper, the excellence of the technique was confirmed by comparing the proposed technique with other encryption and clustering techniques. The results proved that the proposed technique achieved maximum accuracy and minimum encryption time.     

On the Privacy-Preserving Outsourcing Scheme of Reversible Data Hiding over Encrypted Image Data in Cloud Computing

Advanced cloud computing technology provides cost saving and flexibility of services for users. With the explosion of multimedia data, more and more data owners would outsource their personal multimedia data on the cloud. In the meantime, some computationally expensive tasks are also undertaken by cloud servers. However, the outsourced multimedia data and its applications may reveal the data owner’s private information because the data owners lose the control of their data. Recently, this thought has aroused new research interest on privacy-preserving reversible data hiding over outsourced multimedia data. In this paper, two reversible data hiding schemes are proposed for encrypted image data in cloud computing: reversible data hiding by homomorphic encryption and reversible data hiding in encrypted domain. The former is that additional bits are extracted after decryption and the latter is that extracted before decryption. Meanwhile, a combined scheme is also designed. This paper proposes the privacy-preserving outsourcing scheme of reversible data hiding over encrypted image data in cloud computing, which not only ensures multimedia data security without relying on the trustworthiness of cloud servers, but also guarantees that reversible data hiding can be operated over encrypted images at the different stages. Theoretical analysis confirms the correctness of the proposed encryption model and justifies the security of the proposed scheme. The computation cost of the proposed scheme is acceptable and adjusts to different security levels.     

Amino Acid Encryption Method Using Genetic Algorithm for Key Generation

In this new information era, the transfer of data and information has become a very important matter. Transferred data must be kept secured from unauthorized persons using cryptography. The science of cryptography depends not only on complex mathematical models but also on encryption keys. Amino acid encryption is a promising model for data security. In this paper, we propose an amino acid encryption model with two encryption keys. The first key is generated randomly using the genetic algorithm. The second key is called the protein key which is generated from converting DNA to a protein message. Then, the protein message and the first key are used in the modified Playfair matrix to generate the cypher message. The experimental results show that the proposed model survives against known attacks such as the Brute-force attack and the Ciphertext-only attack. In addition, the proposed model has been tested over different types of characters including white spaces and special characters, as all the data is encoded to 8-bit binary. The performance of the proposed model is compared with other models using encryption time and decryption time. The model also balances all three principles in the CIA triad.     

Chosen-Ciphertext Attack Secure Public-Key Encryption with Keyword Search

As the use of cloud storage for various services increases, the amount of private personal information along with data stored in the cloud storage is also increasing. To remotely use the data stored on the cloud storage, the data to be stored needs to be encrypted for this reason. Since “searchable encryption” is enable to search on the encrypted data without any decryption, it is one of convenient solutions for secure data management. A public key encryption with keyword search (for short, PEKS) is one of searchable encryptions. Abdalla et al. firstly defined IND-CCA security for PEKS to enhance it’s security and proposed consistent IND-CCA secure PEKS based on the “robust” ANO-CCA secure identity-based encryption(IBE). In this paper, we propose two generic constructions of consistent IND-CCA secure PEKS combining (1) a hierarchical identity based encryption (for short, HIBE) and a signature scheme or (2) a HIBE, an encapsulation, and a message authentication code (for short, MAC) scheme. Our generic constructions identify that HIBE requires the security of a signature or a MAC as well as the weaker “ANO-CPA security (resp., IND-CPA security)” of HIBE than “ANO-CCA security (resp., IND-CCA security)” of IBE required in for achieving IND-CCA secure (resp., consistent) PEKS. Finally, we prove that our generic constructions satisfy IND-CCA security and consistency under the security models.     

A New Multi Chaos-Based Compression Sensing Image Encryption

The advancements in technology have substantially grown the size of image data. Traditional image encryption algorithms have limited capabilities to deal with the emerging challenges in big data, including compression and noise toleration. An image encryption method that is based on chaotic maps and orthogonal matrix is proposed in this study. The proposed scheme is built on the intriguing characteristics of an orthogonal matrix. Gram Schmidt disperses the values of pixels in a plaintext image by generating a random orthogonal matrix using logistic chaotic map. Following the diffusion process, a block-wise random permutation of the data is performed using multi-chaos. The proposed scheme provides sufficient security and resilience to JPEG compression and channel noise through a series of experiments and security evaluations. It enables Partial Encryption (PE) for faster processing as well as complete encryption for increased security. The higher values of the number of pixels change rates and unified average change intensity confirm the security of the encryption scheme. In contrast to other schemes, the proposed approach can perform full and partial encryption depending on security requirements.     

Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities

To detect security vulnerabilities in a web application, the security analyst must choose the best performance Security Analysis Static Tool (SAST) in terms of discovering the greatest number of security vulnerabilities as possible. To compare static analysis tools for web applications, an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project (OWASP) Top Ten project is required. The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance. Given the significant cost of commercial tools, this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project. Thus, the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project. The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.     

Hill Matrix and Radix-64 Bit Algorithm to Preserve Data Confidentiality

There are many cloud data security techniques and algorithms available that can be used to detect attacks on cloud data, but these techniques and algorithms cannot be used to protect data from an attacker. Cloud cryptography is the best way to transmit data in a secure and reliable format. Various researchers have developed various mechanisms to transfer data securely, which can convert data from readable to unreadable, but these algorithms are not sufficient to provide complete data security. Each algorithm has some data security issues. If some effective data protection techniques are used, the attacker will not be able to decipher the encrypted data, and even if the attacker tries to tamper with the data, the attacker will not have access to the original data. In this paper, various data security techniques are developed, which can be used to protect the data from attackers completely. First, a customized American Standard Code for Information Interchange (ASCII) table is developed. The value of each Index is defined in a customized ASCII table. When an attacker tries to decrypt the data, the attacker always tries to apply the predefined ASCII table on the Ciphertext, which in a way, can be helpful for the attacker to decrypt the data. After that, a radix 64-bit encryption mechanism is used, with the help of which the number of cipher data is doubled from the original data. When the number of cipher values is double the original data, the attacker tries to decrypt each value. Instead of getting the original data, the attacker gets such data that has no relation to the original data. After that, a Hill Matrix algorithm is created, with the help of which a key is generated that is used in the exact plain text for which it is created, and this Key cannot be used in any other plain text. The boundaries of each Hill text work up to that text. The techniques used in this paper are compared with those used in various papers and discussed that how far the current algorithm is better than all other algorithms. Then, the Kasiski test is used to verify the validity of the proposed algorithm and found that, if the proposed algorithm is used for data encryption, so an attacker cannot break the proposed algorithm security using any technique or algorithm.     

Efficient Secure Data Provenance Scheme in Multimedia Outsourcing and Sharing

To cope with privacy leakage caused by multimedia outsourcing and sharing, data provenance is used to analyze leaked multimedia and provide reactive accountability. Existing schemes of multimedia provenance are based on watermarking protocols. In an outsourcing scenario, existing schemes face two severe challenges: 1) when data leakage occurs, there exists a probability that data provenance results can be repudiated, in which case data provenance tracking fails; and 2) when outsourced data are shared, data encryption transfer causes key management burden outside the schemes, and privacy leakage threatens users. In this paper, we propose a novel data provenance scheme with an improved LUT-based fingerprinting protocol, which integrates an asymmetric watermarking protocol, robust watermark algorithm and homomorphic encryption and digital signatures to achieve full non-repudiation provenance. We build an in-scheme stream cipher to protect outsourced multimedia data from privacy leakage and complicated key management. Our scheme is also lightweight and easy to deploy. Extensive security and performance analysis compares our scheme with the state of the art. The results show that our scheme has not only better provenance security and data confidentiality but also higher efficiency for multimedia outsourcing, sharing and provenance.     

An Improved Dictionary Cracking Scheme Based on Multiple GPUs for Wi-Fi Network

The Internet has penetrated all aspects of human society and has promoted social progress. Cyber-crimes in many forms are commonplace and are dangerous to society and national security. Cybersecurity has become a major concern for citizens and governments. The Internet functions and software applications play a vital role in cybersecurity research and practice. Most of the cyber-attacks are based on exploits in system or application software. It is of utmost urgency to investigate software security problems. The demand for Wi-Fi applications is proliferating but the security problem is growing, requiring an optimal solution from researchers. To overcome the shortcomings of the wired equivalent privacy (WEP) algorithm, the existing literature proposed security schemes for Wi-Fi protected access (WPA)/WPA2. However, in practical applications, the WPA/WPA2 scheme still has some weaknesses that attackers exploit. To destroy a WPA/WPA2 security, it is necessary to get a PSK pre-shared key in pre-shared key mode, or an MSK master session key in the authentication mode. Brute-force cracking attacks can get a phase-shift keying (PSK) or a minimum shift keying (MSK). In real-world applications, many wireless local area networks (LANs) use the pre-shared key mode. Therefore, brute-force cracking of WPA/WPA2-PSK is important in that context. This article proposes a new mechanism to crack the Wi-Fi password using a graphical processing unit (GPU) and enhances the efficiency through parallel computing of multiple GPU chips. Experimental results show that the proposed algorithm is effective and provides a procedure to enhance the security of Wi-Fi networks.