Visible to the public Authentication and Authorization (2014 Year in Review) Part 2

SoS Newsletter- Advanced Book Block


SoS Newsletter Logo

Authentication & Authorization
(2014 Year in Review)
Part 2


Authorization and authentication are cornerstones of computer security. As systems become larger, faster and more complex, authorization and authentication methods and protocols are proving to have limits and challenges. The research cited here explores new methods and techniques for improving security in cloud environments, efficient cryptographic computations, and exascale storage systems.  The work presented here was published in 2014.


Miao Yingkai; Chen Jia, "A Kind of Identity Authentication under Cloud Computing Environment," Intelligent Computation Technology and Automation (ICICTA), 2014 7th International Conference on, pp. 12, 15, 25-26 Oct. 2014. doi: 10.1109/ICICTA.2014.10

Abstract: An identity authentication scheme is proposed combining with biometric encryption, public key cryptography of homomorphism and predicate encryption technology under the cloud computing environment. Identity authentication scheme is proposed based on the voice and homomorphism technology. The scheme is divided into four stages, register and training template stage, voice login and authentication stage, authorization stage, and audit stage. The results prove the scheme has certain advantages in four aspects.

Keywords: authorisation; cloud computing; public key cryptography; audit stage; authorization stage; biometric encryption; cloud computing environment; encryption technology; homomorphism technology; identity authentication scheme; public key cryptography; register and training template stage; voice login and authentication stage; voice technology ;Authentication; Cloud computing; Encryption; Servers; Spectrogram; Training; cloud computing; homomorphism; identity authentication   (ID#:15-4064)



Jen Ho Yang; Pei Yu Lin, "An ID-Based User Authentication Scheme for Cloud Computing," Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), 2014 Tenth International Conference on, pp.98,101, 27-29 Aug. 2014. doi: 10.1109/IIH-MSP.2014.31

Abstract: In cloud computing environments, the user authentication scheme is an important security tool because it provides the authentication, authorization, and accounting for cloud users. Therefore, many user authentication schemes for cloud computing have been proposed in recent years. However, we find that most of the previous authentication schemes have some security problems. Besides, it cannot be implemented in cloud computing. To solve the above problems, we propose a new ID-based user authentication scheme for cloud computing in this paper. Compared with the related works, the proposed scheme has higher security levels and lower computation costs. In addition, it can be easily applied to cloud computing environments. Therefore, the proposed scheme is more efficient and practical than the related works.

Keywords: authorisation; cloud computing; ID-based user authentication scheme ;authorization; cloud computing environments; Authentication; Cloud computing; Cryptography; Law; Nickel; Servers; ID-based scheme; anonymity; cloud computing; cryptography; mobile devices; user authentication   (ID#:15-4065)



Singh, S.; Sharma, S., "Improving Security Mechanism To Access HDFS Data By Mobile Consumers Using Middleware-Layer Framework," Computing, Communication and Networking Technologies (ICCCNT), 2014 International Conference on, pp. 1, 7, 11-13 July 2014. doi: 10.1109/ICCCNT.2014.6963051

Abstract: Revolution in the field of technology leads to the development of cloud computing which delivers on-demand and easy access to the large shared pools of online stored data, softwares and applications. It has changed the way of utilizing the IT resources but at the compromised cost of security breaches as well such as phishing attacks, impersonation, lack of confidentiality and integrity. Thus this research work deals with the core problem of providing absolute security to the mobile consumers of public cloud to improve the mobility of user's, accessing data stored on public cloud securely using tokens without depending upon the third party to generate them. This paper presents the approach of simplifying the process of authenticating and authorizing the mobile user's by implementing middleware-centric framework called MiLAMob model with the huge online data storage system i.e. HDFS. It allows the consumer's to access the data from HDFS via mobiles or through the social networking sites eg. facebook, gmail, yahoo etc using OAuth 2.0 protocol. For authentication, the tokens are generated using one-time password generation technique and then encrypting them using AES method. By implementing the flexible user based policies and standards, this model improves the authorization process.

Keywords: authorisation; cloud computing; cryptography; information retrieval; middleware; mobile computing; protocols; social networking (online); storage management; AES method; Facebook; Gmail; HDFS data access; IT resources; MiLAMob model; OAuth 2.0 protocol; Yahoo; authorization process; cloud computing; encryption; flexible user based policies; middleware-centric framework; middleware-layer framework; mobile consumers; one-time password generation technique; online data storage system; online stored data; public cloud; security mechanism; social networking sites; tokens; Authentication; Cloud computing; Data models; Mobile communication; Permission; Social network services; Authentication; Authorization; Computing; HDFS; MiLAMob; OAuth 2.0;Security; Token   (ID#:15-4066)



Kun-Lin Tsai; Jiu-Soon Tan; Fang-Yie Leu; Yi-Li Huang, "A Group File Encryption Method using Dynamic System Environment Key," Network-Based Information Systems (NBiS), 2014 17th International Conference on, pp. 476, 483, 10-12 Sept. 2014. doi: 10.1109/NBiS.2014.22

Abstract: File encryption is an effective way for an enterprise to prevent its data from being lost. However, the data may still be deliberately or inadvertently leaked out by the insiders or customers. When the sensitive data are leaked, it often results in huge monetary damages and credit loss. In this paper, we propose a novel group file encryption/decryption method, named the Group File Encryption Method using Dynamic System Environment Key (GEMS for short), which provides users with auto crypt, authentication, authorization, and auditing security schemes by utilizing a group key and a system environment key. In the GEMS, the important parameters are hidden and stored in different devices to avoid them from being cracked easily. Besides, it can resist known-key and eavesdropping attacks to achieve a very high security level, which is practically useful in securing an enterprise's and a government's private data.

Keywords: authorisation; business data processing; cryptography; file organisation; message authentication; GEMS; auditing security scheme; authentication; authorization; autocrypt; decryption method; dynamic system environment key; eavesdropping attack; group file encryption; security level; Authentication; Cloud computing; Computers; Encryption; Servers; DRM; group file encryption; security; system environment key   (ID#:15-4067)



Demchenko, Y.; Canh Ngo; de Laat, C.; Lee, C., "Federated Access Control in Heterogeneous Intercloud Environment: Basic Models and Architecture Patterns," Cloud Engineering (IC2E), 2014 IEEE International Conference on, pp. 439, 445, 11-14 March 2014. doi: 10.1109/IC2E.2014.84

Abstract: This paper presents on-going research to define the basic models and architecture patterns for federated access control in heterogeneous (multi-provider) multi-cloud and inter-cloud environment. The proposed research contributes to the further definition of Intercloud Federation Framework (ICFF) which is a part of the general Intercloud Architecture Framework (ICAF) proposed by authors in earlier works. ICFF attempts to address the interoperability and integration issues in provisioning on-demand multi-provider multi-domain heterogeneous cloud infrastructure services. The paper describes the major inter-cloud federation scenarios that in general involve two types of federations: customer-side federation that includes federation between cloud based services and customer campus or enterprise infrastructure, and provider-side federation that is created by a group of cloud providers to outsource or broker their resources when provisioning services to customers. The proposed federated access control model uses Federated Identity Management (FIDM) model that can be also supported by the trusted third party entities such as Cloud Service Broker (CSB) and/or trust broker to establish dynamic trust relations between entities without previously existing trust. The research analyses different federated identity management scenarios, defines the basic architecture patterns and the main components of the distributed federated multi-domain Authentication and Authorisation infrastructure.

Keywords: authorisation; cloud computing; operating systems (computers); outsourcing; software architecture; trusted computing; CSB; FIDM model; ICAF; ICFF; architecture patterns; authorisation infrastructure; cloud based services; cloud service broker; customer campus; customer-side federation; distributed federated multidomain authentication; dynamic trust relations; enterprise infrastructure; federated access control model; federated identity management model; federated identity management scenarios; heterogeneous intercloud environment; heterogeneous multiprovider intercloud environment; heterogeneous multiprovider multicloud environment; integration issue; intercloud architecture framework; intercloud federation framework; intercloud federation scenarios; interoperability issue; on-demand multiprovider multidomain heterogeneous cloud infrastructure services; provider-side federation; resource brokering; resource outsourcing; trusted third party entities; Authorization; Cloud computing; Computer architecture; Dynamic scheduling; Organizations; Authorisation; Cloud Security infrastructure; Federated Identity Management; Federated Intercloud Access Control Infrastructure; Intercloud Architecture Framework; Intercloud Federations Framework   (ID#:15-4068)



Tekeni, L.; Thomson, K.-L.; Botha, R.A., "Concerns Regarding Service Authorization By IP Address Using Eduroam," Information Security for South Africa (ISSA), 2014, pp.1,6, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950495

Abstract: Eduroam is a secure WLAN roaming service between academic and research institutions around the globe. It allows users from participating institutions secure Internet access at any other participating visited institution using their home credentials. The authentication credentials are verified by the home institution, while authorization is done by the visited institution. The user receives an IP address in the range of the visited institution, and accesses the Internet through the firewall and proxy servers of the visited institution. However, access granted to services that authorize via an IP address of the visited institution may include access to services that are not allowed at the home institution, due to legal agreements. This paper looks at typical legal agreements with service providers and explores the risks and countermeasures that need to be considered when using eduroam.

Keywords: IP networks; Internet; authorisation; firewalls; home networks; wireless LAN;IP address; authentication credentials; eduroam; firewall; home credentials; home institution; legal agreements; proxy servers; secure Internet access; secure WLAN roaming service; service authorization; visited institution; IEEE Xplore; Servers; Authorization; IP-Based; Service Level Agreement; eduroam   (ID#:15-4069)



van Thuan, D.; Butkus, P.; van Thanh, D., "A User Centric Identity Management for Internet of Things," IT Convergence and Security (ICITCS), 2014 International Conference on, pp. 1, 4, 28-30 Oct. 2014. doi: 10.1109/ICITCS.2014.7021724

Abstract: In the future Internet of Things, it is envisioned that things are collaborating to serve people. Unfortunately, this vision could not be realised without relations between things and people. To solve the problem this paper proposes a user centric identity management system that incorporates user identity, device identity and the relations between them. The proposed IDM system is user centric and allows device authentication and authorization based on the user identity. A typical compelling use case of the proposed solution is also given.

Keywords: Internet of Things; authorisation; IDM system; Internet of Things; authorization; device authentication; device identity; user centric identity management; user identity; Authentication; Identity management systems; Internet of Things; Medical services; Mobile handsets   (ID#:15-4070)



Matias, J.; Garay, J.; Mendiola, A.; Toledo, N.; Jacob, E., "FlowNAC: Flow-based Network Access Control," Software Defined Networks (EWSDN), 2014 Third European Workshop on, pp. 79, 84, 1-3 Sept. 2014. doi: 10.1109/EWSDN.2014.39

Abstract: This paper presents FlowNAC, a Flow-based Network Access Control solution that allows to grant users the rights to access the network depending on the target service requested. Each service, defined univocally as a set of flows, can be independently requested and multiple services can be authorized simultaneously. Building this proposal over SDN principles has several benefits: SDN adds the appropriate granularity (fine-or coarse-grained) depending on the target scenario and flexibility to dynamically identify the services at data plane as a set of flows to enforce the adequate policy. FlowNAC uses a modified version of IEEE 802.1X (novel EAPoL-in-EAPoL encapsulation) to authenticate the users (without the need of a captive portal) and service level access control based on proactive deployment of flows (instead of reactive). Explicit service request avoids misidentifying the target service, as it could happen by analyzing the traffic (e.g. private services). The proposal is evaluated in a challenging scenario (concurrent authentication and authorization processes) with promising results.

Keywords: authorisation; computer network security; cryptographic protocols; EAPoL-in-EAPoL encapsulation; FlowNAC; IEEE 802.1X; authentication; authorization; flow-based network access control; Authentication; Authorization; Ports (Computers); Protocols; Servers; Standards; Network Access Control; Security; Software Defined Networking   (ID#:15-4071)



Gopejenko, V.; Bobrovskis, S., "Robust Security Network Association Adjusted Hybrid Authentication Schema," Application of Information and Communication Technologies (AICT), 2014 IEEE 8th International Conference on, pp. 1, 5, 15-17 Oct. 2014. doi: 10.1109/ICAICT.2014.7035907

Abstract: Wireless network, whether it's ad-hoc or at enterprise level is vulnerable due to its features of open medium, and usually due to weak authentication, authorization, encryption, monitoring and accounting mechanisms. Various wireless vulnerability situations as well as the minimal features that are required in order to protect, monitor, account, authenticate, and authorize nodes, users, computers into the network are examined. Also, aspects of several IEEE Security Standards, which were ratified and which are still in draft are described.

Keywords: IEEE standards; authorisation; cryptography; message authentication; radio networks; telecommunication security; IEEE security standard; accounting mechanism; authorization; encryption; hybrid authentication schema; monitoring mechanism; robust security network association; weak authentication; wireless network; wireless vulnerability situation; Authentication; Communication system security; Cryptography; Robustness; Servers; Wireless communication;802.11 standards;802.1X framework; Authentication; Encryption; Extensible Authentication Protocol; Network Access Protection; Robust Secure Network; Wired Equivalent Privacy; Wireless Intrusion Detection System; Wireless Intrusion Prevention System   (ID#:15-4072)



Sindhu, S.M.; Kanchana, R., "Security Solutions For Web Service Attacks In A Dynamic Composition Scenario," Advanced Communication Control and Computing Technologies (ICACCCT), 2014 International Conference on, pp. 624, 628, 8-10 May 2014. doi: 10.1109/ICACCCT.2014.7019163

Abstract: Web Services can be invoked from anywhere through internet without having enough knowledge about the implementation details. In some cases, single service cannot accomplish user needs. One or more services must be composed which together satisfy the user needs. Therefore, security is the most important concern not only at single service level but also at composition level. Several attacks are possible on SOAP messages communicated among Web Services because of their standardized interfaces. Examples of Web Service attacks are oversize payload, SOAPAction spoofing, XML injection, WS-Addressing spoofing, etc. Most of the existing works provide solution to ensure basic security features of Web Services such as confidentiality, integrity, authentication, authorization, and non-repudiation. Very few of the existing works provide solutions such as schema validation and schema hardening for attacks on Web Services. But these solutions do not address and provide attack specific solutions for SOAP messages communicated between Web Service. Hence, it is proposed to provide solutions for two of the prevailing Web Service attacks. Since new types of Web Service attacks are evolving over time, the proposed security solutions are implemented as APIs that are pluggable in any server where the Web Service is deployed.

Keywords: Web services; application program interfaces; authorisation; data integrity; protocols; service-oriented architecture; API; Internet; SOA; SOAP messages; SOAPAction spoofing; WS-Addressing spoofing; Web service attacks; XML injection; authentication; authorization; confidentiality; dynamic composition scenario; integrity; nonrepudiation; schema hardening; schema validation; security solutions; service oriented architecture; simple object access protocol; Electronic publishing ;Information services; Lead; Security; Simple object access protocol; Standards; SAS API; SOAP; UDDI; WSAS API; WSDL; Web Services   (ID#:15-4073)



Albino Pereira, A.; Bosco M.Sobral, J.; Merkle Westphall, C., "Towards Scalability for Federated Identity Systems for Cloud-Based Environments," New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on, pp. 1, 5, March 30, 2014-April 2, 2014. doi: 10.1109/NTMS.2014.6814055

Abstract: As multi-tenant authorization and federated identity management systems for cloud computing matures, the provisioning of services using this paradigm allows maximum efficiency on business that requires access control. However, regarding scalability support, mainly horizontal, some characteristics of those approaches based on central authentication protocols are problematic. The objective of this work is to address these issues by providing an adapted sticky-session mechanism for a Shibboleth architecture using CAS. This alternative, compared with the recommended shared memory approach, shown improved efficiency and less overall infrastructure complexity.

Keywords: authorisation; cloud computing; cryptographic protocols; CAS; Shibboleth architecture; central authentication protocols; central authentication service; cloud based environments; cloud computing; federated identity management systems; federated identity system scalability; multitenant authorization; sticky session mechanism; Authentication; Cloud computing; Proposals; Scalability; Servers; Virtual machining   (ID#:15-4074)



Yi-Hui Chen; Chi-Shiang Chan; Po-Yu Hsu; Wei-Lin Huang, "Tagged Visual Cryptography With Access Control," Multimedia and Expo Workshops (ICMEW), 2014 IEEE International Conference on, pp. 1, 5, 14-18 July 2014. doi: 10.1109/ICMEW.2014.6890648

Abstract: Visual cryptography is a way to encrypt the secret image into several meaningless share images. Noted that no information can be obtained if not all of the shares are collected. Stacking the share images, the secret image can be retrieved. The share images are meaningless to owner which results in difficult to manage. Tagged visual cryptography is a skill to print a pattern onto meaningless share images. After that, users can easily manage their own share images according to the printed pattern. Besides, access control is another popular topic to allow a user or a group to see the own authorizations. In this paper, a self-authentication mechanism with lossless construction ability for image secret sharing scheme is proposed. The experiments provide the positive data to show the feasibility of the proposed scheme.

Keywords: authorisation; cryptography; image coding; message authentication; access control; authorization; image secret sharing scheme; lossless construction ability; meaningless share images; printed pattern; secret image ;self-authentication mechanism; tagged visual cryptography; Authentication; Encryption; Equations; Pattern recognition; Stacking; Visualization; Visual cryptography; access control; secret sharing; tagged visual cryptography   (ID#:15-4075)



Raut, R.D.; Kulkarni, S.; Gharat, N.N., "Biometric Authentication Using Kekre's Wavelet Transform," Electronic Systems, Signal Processing and Computing Technologies (ICESC), 2014 International Conference on, pp. 99, 104, 9-11 Jan. 2014. doi: 10.1109/ICESC.2014.22

Abstract: This paper proposes an enhanced method for personal authentication based on finger Knuckle Print using Kekre's wavelet transform (KWT). Finger-knuckle-print (FKP) is the inherent skin patterns of the outer surface around the phalangeal joint of one's finger. It is highly discriminable and unique which makes it an emerging promising biometric identifier. Kekre's wavelet transform is constructed from Kekre's transform. The proposed system is evaluated on prepared FKP database that involves all categories of FKP. The total database of 500 samples of FKP. This paper focuses the different image enhancement techniques for the pre-processing of the captured images. The proposed algorithm is examined on 350 training and 150 testing samples of database and shows that the quality of database and pre-processing techniques plays important role to recognize the individual. The experimental result calculate the performance parameters like false acceptance rate (FAR), false rejection rate (FRR), True Acceptance rate (TAR), True rejection rate (TRR). The tested result demonstrated the improvement in EER (Error Equal Rate) which is very much important for authentication. The experimental result using Kekre's algorithm along with image enhancement shows that the finger knuckle recognition rate is better than the conventional method.

Keywords: authorisation; biometrics (access control); image enhancement; image recognition; skin; wavelet transforms; EER; FAR; FKP database; FRR; KWT; Kekre wavelet transform; TAR;TRR; biometric authentication ;error equal rate; false acceptance rate; false rejection rate; finger knuckle print; finger knuckle recognition rate; image enhancement; personal authentication; phalangeal joint; true acceptance rate; true rejection rate; Authentication; Databases; Feature extraction; Thumb; Wavelet transforms; Biometric; EER; Finger knuckle print; Kekre's Transform; Kekre's wavelet Transform   (ID#:15-4076)



Izu, T.; Sakemi, Y.; Takenaka, M.; Torii, N., "A Spoofing Attack against a Cancelable Biometric Authentication Scheme," Advanced Information Networking and Applications (AINA), 2014 IEEE 28th International Conference on, pp. 234, 239, 13-16 May 2014. doi: 10.1109/AINA.2014.33

Abstract: ID/password-based authentication is commonly used in network services. Some users set different ID/password pairs for different services, but other users reuse a pair of ID/password to other services. Such recycling allows the list attack in which an adversary tries to spoof a target user by using a list of IDs and passwords obtained from other system by some means (an insider attack, malwares, or even a DB leakage). As a countermeasure agains the list attack, biometric authentication attracts much attention than before. In 2012, Hattori et al. proposed a cancelable biometrics authentication scheme (fundamental scheme) based on homomorphic encryption algorithms. In the scheme, registered biometric information (template) and biometric information to compare are encrypted, and the similarity between these biometric information is computed with keeping encrypted. Only the privileged entity (a decryption center), who has a corresponding decryption key, can obtain the similarity by decrypting the encrypted similarity and judge whether they are same or not. Then, Hirano et al. showed the replay attack against this scheme, and, proposed two enhanced authentication schemes. In this paper, we propose a spoofing attack against the fundamental scheme when the feature vector, which is obtained by digitalizing the analogue biometric information, is represented as a binary coding such as Iris Code and Competitive Code. The proposed attack uses an unexpected vector as input, whose distance to all possible binary vectors is constant. Since the proposed attack is independent from the replay attack, the attack is also applicable to two revised schemes by Hirano et al. as well. Moreover, this paper also discusses possible countermeasures to the proposed spoofing attack. In fact, this paper proposes a countermeasure by detecting such unexpected vector.

Keywords: authorisation; biometrics (access control); cryptography; ID-password-based authentication; IrisCode; analogue biometric information; binary coding; biometric information; cancelable biometric authentication scheme; competitive code; decryption key; feature vector; homomorphic encryption algorithms; list attack; network services; privileged entity; registered biometric information; replay attack; spoofing attack; unexpected vector; Authentication; Encryption; Public key; Servers ;Vectors   (ID#:15-4077)



Buranasaksee, U.; Porkaew, K.; Supasitthimethee, U., "AccAuth: Accounting System for OAuth Protocol," Applications of Digital Information and Web Technologies (ICADIWT), 2014 Fifth International Conference on the, pp.8,13, 17-19 Feb. 2014. doi: 10.1109/ICADIWT.2014.6814698

Abstract: When a user accesses a resource, the accounting process at the server side does the job of keeping track of the resource usage so as to charge the user. In cloud computing, a user may use more than one service provider and need two independent service providers to work together. In this user-centric context, the user is the owner of the information and has the right to authorize to a third party application to access the protected resource on the user's behalf. Therefore, the user also needs to monitor the authorized resource usage he granted to third party applications. However, the existing accounting protocols were proposed to monitor the resource usage in terms of how the user uses the resource from the service provider. This paper proposed the user-centric accounting model called AccAuth which designs an accounting layer to an OAuth protocol. Then the prototype was implemented, and the proposed model was evaluated against the standard requirements. The result showed that AccAuth passed all the requirements.

Keywords: accounting; authorisation; cloud computing; protocols; AccAuth; OAuth protocol; accounting layer; accounting process; accounting protocols; authorized resource usage; cloud computing protected resource access; resource usage monitor; service provider; third party application; user-centric accounting model; Authentication; Authorization; Computer architecture; Context; Protocols; Servers; Standards; accounting; authorized usage; cloud computing; delegation; three-party communication protocol   (ID#:15-4078)



Kumari, S.; Om, H., "Remote Login Password Authentication Scheme Based on Cuboid Using Biometric," Information Technology (ICIT), 2014 International Conference on, pp. 190, 194, 22-24 Dec. 2014. doi: 10.1109/ICIT.2014.48

Abstract: In this paper, we propose a remote password authentication scheme based on 3-D geometry with biometric value of a user. It is simple and practically useful and also a legal user can freely choose and change his password using smart card that contains some information. The security of the system depends on the points on the diagonal of a cuboid in 3D environment. Using biometric value makes the points more secure because the characteristics of the body parts cannot be copied or stolen.

Keywords: authorisation; biometrics (access control); computational geometry; smart cards ;3-D geometry;3D environment; biometric value; cuboid diagonal; remote login password authentication scheme; smart card; system security; Authentication; Bismuth; Computers; Fingerprint recognition; Servers; Smart cards;3-D geometry; Authentication; Biometric value; Cuboid; One way function; Password   (ID#:15-4079)



Liew Tze Hui; Bashier, H.K.; Lau Siong Hoe; Michael, G.K.O.; Wee Kouk Kwee, "Conceptual Framework For High-End Graphical Password," Information and Communication Technology (ICoICT), 2014 2nd International Conference on, pp. 64, 68, 28-30 May 2014. doi: 10.1109/ICoICT.2014.6914041

Abstract: User authentication depends largely on the concept of passwords. However, users find it difficult to remember alphanumerical passwords over time. When user is required to choose a secure password, they tend to choose an easy, short and insecure password. Graphical password method is proposed as an alternative solution to text-based alphanumerical passwords. The reason of such proposal is that human brain is better in recognizing and memorizing pictures compared to traditional alphanumerical string. Therefore, in this paper, we propose a conceptual framework to better understand the user performance for new high-end graphical password method. Our proposed framework is based on hybrid approach combining different features into one. The user performance experimental analysis pointed out the effectiveness of the proposed framework.

Keywords: authorisation; graphical user interfaces; human factors; graphical password method; high-end graphical password; secure password; text-based alphanumerical passwords; user authentication; user performance experimental analysis; Authentication; Communications technology; Complexity theory; Databases; Face; Proposals; Graphical password; authentication; usability   (ID#:15-4080)



Arimura, S.; Fujita, M.; Kobayashi, S.; Kani, J.; Nishigaki, M.; Shiba, A., "i/k-Contact: A Context-Aware User Authentication Using Physical Social Trust," Privacy, Security and Trust (PST), 2014 Twelfth Annual International Conference on, pp. 407, 413, 23-24 July 2014. doi: 10.1109/PST.2014.6890968

Abstract: In recent years, with growing demands towards big data application, various research on context-awareness has once again become active. This paper proposes a new type of context-aware user authentication that controls the authentication level of users, using the context of “physical trust relationship” that is built between users by visual contact. In our proposal, the authentication control is carried out by two mechanisms; “i-Contact” and “k-Contact”. i-Contact is the mechanism that visually confirms the user (owner of a mobile device) using the surrounding users' eyes. The authenticity of users can be reliably assessed by the people (witnesses), even when the user exhibits ambiguous behavior. k-Contact is the mechanism that dynamically changes the authentication level of each user using the context information collected through i-Contact. Once a user is authenticated by eyewitness reports, the user is no longer prompted for a password to unlock his/her mobile device and/or to access confidential resources. Thus, by leveraging the proposed authentication system, the usability for only trusted users can be securely enhanced. At the same time, our proposal anticipates the promotion of physical social communication as face-to-face communication between users is triggered by the proposed authentication system.

Keywords: authorisation; trusted computing; ubiquitous computing; Big Data application; authentication control; authentication system; context-aware user authentication; i-k Contact mechanism; physical social trust; physical trust relationship; visual contact; Authentication; Companies; Context; Mobile handsets; Servers; Visualization; Context-aware security; Mobile-device-management (MDM);Physical communication; Social trust; User authentication; Visual contact   (ID#:15-4081)



Jan, M.A.; Nanda, P.; Xiangjian He; Zhiyuan Tan; Ren Ping Liu, "A Robust Authentication Scheme for Observing Resources in the Internet of Things Environment," Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on, pp. 205, 211, 24-26 Sept. 2014. doi: 10.1109/TrustCom.2014.31

Abstract: The Internet of Things is a vision that broadens the scope of the internet by incorporating physical objects to identify themselves to the participating entities. This innovative concept enables a physical device to represent itself in the digital world. There are a lot of speculations and future forecasts about the Internet of Things devices. However, most of them are vendor specific and lack a unified standard, which renders their seamless integration and interoperable operations. Another major concern is the lack of security features in these devices and their corresponding products. Most of them are resource-starved and unable to support computationally complex and resource consuming secure algorithms. In this paper, we have proposed a lightweight mutual authentication scheme which validates the identities of the participating devices before engaging them in communication for the resource observation. Our scheme incurs less connection overhead and provides a robust defence solution to combat various types of attacks.

Keywords: Internet of Things; authorisation; Internet of things environment; computationally complex algorithms; digital world; interoperable operations; participating entities; physical objects; resource consuming secure algorithms; robust authentication scheme; seamless integration; security features; Authentication; Cryptography; Internet; Payloads; Robustness; Servers; Authentication; CoAP; Conditional Option; Internet of Things (IoT); Resource Observation   (ID#:15-4082)



Uymatiao, M.L.T.; Yu, W.E.S., "Time-based OTP Authentication Via Secure Tunnel (TOAST): A Mobile TOTP Scheme Using TLS Seed Exchange And Encrypted Offline Keystore," Information Science and Technology (ICIST), 2014 4th IEEE International Conference on, pp. 225, 229, 26-28 April 2014. doi: 10.1109/ICIST.2014.6920371

Abstract: The main objective of this research is to build upon existing cryptographic standards and web protocols to design an alternative multi-factor authentication cryptosystem for the web. It involves seed exchange to a software-based token through a login-protected Transport Layer Security (TLS/SSL) tunnel, encrypted local storage through a password-protected keystore (BC UBER) with a strong key derivation function (PBEWithSHAANDTwofish-CBC), and offline generation of one-time passwords through the TOTP algorithm (IETF RFC 6239). Authentication occurs through the use of a shared secret (the seed) to verify the correctness of the one-time password used to authenticate. With the traditional use of username and password no longer wholly adequate for protecting online accounts, and with regulators worldwide toughening up security requirements (i.e. BSP 808, FFIEC), this research hopes to increase research effort on further development of cryptosystems involving multi-factor authentication.

Keywords: authorisation; cryptography; BC UBER keystore; IETF RFC 6239 standard; PBEWithSHAANDTwofish-CBC function; TLS seed exchange; TOAST scheme; TOTP algorithm; Web protocols; cryptographic standards; cryptosystems development; encrypted offline keystore; mobile TOTP scheme; multifactor authentication; multifactor authentication cryptosystem; one-time password; password-protected keystore; secure tunnel; security requirements; software-based token; strong key derivation function; time-based OTP authentication; transport layer security; Authentication; Cryptography; Google; Mobile communication; Radiation detectors; Servers   (ID#:15-4083)



Min Li; Xin Lv; Wei Song; Wenhuan Zhou; Rongzhi Qi; Huaizhi Su, "A Novel Identity Authentication Scheme of Wireless Mesh Network Based on Improved Kerberos Protocol," Distributed Computing and Applications to Business, Engineering and Science (DCABES), 2014 13th International Symposium on, pp.190,194, 24-27 Nov. 2014. doi: 10.1109/DCABES.2014.41

Abstract: The traditional Kerberos protocol exists some limitations in achieving clock synchronization and storing key, meanwhile, it is vulnerable from password guessing attack and attacks caused by malicious software. In this paper, a new authentication scheme is proposed for wireless mesh network. By utilizing public key encryption techniques, the security of the proposed scheme is enhanced. Besides, timestamp in the traditional protocol is replaced by random numbers to implementation cost. The analysis shows that the improved authentication protocol is fit for wireless Mesh network, which can make identity authentication more secure and efficient.

Keywords: cryptographic protocols; public key cryptography; synchronisation; wireless mesh networks; authentication protocol; clock synchronization; identity authentication scheme; improved Kerberos protocol; malicious software; password guessing attack; public key encryption; random numbers; storing key; wireless mesh network; Authentication; Authorization; Protocols; Public key; Servers; Wireless mesh networks; Kerberos protocol; Wireless Mesh network; identity Authentication; public key encryption   (ID#:15-4084)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.