Physical Sciences and Mathematics Commons^™

Secure Self-Checkout Kiosks Using Alma Api With Two-Factor Authentication, Ron Bulaon

Research Collection Library

Self-checkout kiosks have become a staple feature of many modern and digitized libraries. These devices are used by library patrons for self-service item loans. Most implementations are not new, in fact many of these systems are simple, straight forward and work as intended. But behind this useful technology, there is a security concern on authentication that has to be addressed.

In my proposed presentation, I will discuss the risk factors of self-checkout kiosks and propose a solution using Alma APIs. I will address the technical shortcomings of the current implementations, compared to the proposed solution, and where the weakest link …

Ultrapin: Inferring Pin Entries Via Ultrasound, Liu, Ximing, Robert H. Deng, Robert H. Deng

Research Collection School Of Computing and Information Systems

While PIN-based user authentication systems such as ATM have long been considered to be secure enough, they are facing new attacks, named UltraPIN, which can be launched from commodity smartphones. As a target user enters a PIN on a PIN-based user authentication system, an attacker may use UltraPIN to infer the PIN from a short distance (50 cm to 100 cm). In this process, UltraPIN leverages smartphone speakers to issue human-inaudible ultrasound signals and uses smartphone microphones to keep recording acoustic signals. It applies a series of signal processing techniques to extract high-quality feature vectors from low-energy and high-noise signals …

An Efficient Privacy Preserving Message Authentication Scheme For Internet-Of-Things, Jiannan Wei, Tran Viet Xuan Phuong, Guomin Yang

Research Collection School Of Computing and Information Systems

As an essential element of the next generation Internet, Internet of Things (IoT) has been undergoing an extensive development in recent years. In addition to the enhancement of peoples daily lives, IoT devices also generate/gather a massive amount of data that could be utilized by machine learning and big data analytics for different applications. Due to the machine-to-machine communication nature of IoT, data security and privacy are crucial issues that must be addressed to prevent different cyber attacks (e.g., impersonation and data pollution/poisoning attacks). Nevertheless, due to the constrained computation power and the diversity of IoT devices, it is a …

Designing Leakage-Resilient Password Entry On Head-Mounted Smart Wearable Glass Devices, Yan Li, Yao Cheng, Wenzhi Meng, Yingjiu Li, Robert H. Deng

Research Collection School Of Computing and Information Systems

With the boom of Augmented Reality (AR) and Virtual Reality (VR) applications, head-mounted smart wearable glass devices are becoming popular to help users access various services like E-mail freely. However, most existing password entry schemes on smart glasses rely on additional computers or mobile devices connected to smart glasses, which require users to switch between different systems and devices. This may greatly lower the practicability and usability of smart glasses. In this paper, we focus on this challenge and design three practical anti-eavesdropping password entry schemes on stand-alone smart glasses, named gTapper, gRotator and gTalker. The main idea is to …

Editing-Enabled Signatures: A New Tool For Editing Authenticated Data, Binanda Sengupta, Yingjiu Li, Yangguang Tian, Robert H. Deng

Research Collection School Of Computing and Information Systems

Data authentication primarily serves as a tool to achieve data integrity and source authentication. However, traditional data authentication does not fit well where an intermediate entity (editor) is required to modify the authenticated data provided by the source/data owner before sending the data to other recipients. To ask the data owner for authenticating each modified data can lead to higher communication overhead. In this article, we introduce the notion of editing-enabled signatures where the data owner can choose any set of modification operations applicable on the data and still can restrict any possibly untrusted editor to authenticate the data modified …

When Keystroke Meets Password: Attacks And Defenses, Ximing Liu

Dissertations and Theses Collection (Open Access)

Password is a prevalent means used for user authentication in pervasive computing environments since it is simple to be deployed and convenient to use. However, the use of password has intrinsic problems due to the involvement of keystroke. Keystroke behaviors may emit various side-channel information, including timing, acoustic, and visual information, which can be easily collected by an adversary and leveraged for the keystroke inference. On the other hand, those keystroke-related information can also be used to protect a user's credentials via two-factor authentication and biometrics authentication schemes. This dissertation focuses on investigating the PIN inference due to the side-channel …

Securing Messaging Services Through Efficient Signcryption With Designated Equality Test, Yujue Wang, Hwee Hwa Pang, Robert H. Deng, Yong Ding, Qianhong Wu, Bo Qin

Research Collection School Of Computing and Information Systems

To address security and privacy issues in messaging services, we present a public key signcryption scheme with designated equality test on ciphertexts (PKS-DET) in this paper. The scheme enables a sender to simultaneously encrypt and sign (signcrypt) messages, and to designate a tester to perform equality test on ciphertexts, i.e., to determine whether two ciphertexts signcrypt the same underlying plaintext message. We introduce the PKS-DET framework, present a concrete construction and formally prove its security against three types of adversaries, representing two security requirements on message confidentiality against outsiders and the designated tester, respectively, and a requirement on message unforgeability …

Suaa: A Secure User Authentication Scheme With Anonymity For The Single & Multi-Server Environments, Nassoro M. R. Lwamo, Liehuang Zhu, Chang Xu, Kashif Sharif, Ximeng Liu, Chuan Zhang

Research Collection School Of Computing and Information Systems

The rapid increase in user base and technological penetration has enabled the use of a wide range of devices and applications. The services are rendered to these devices from single-server or highly distributed server environments, irrespective of their location. As the information exchanged between servers and clients is private, numerous forms of attacks can be launched to compromise it. To ensure the security, privacy, and availability of the services, different authentication schemes have been proposed for both single-server and multi-server environments. The primary performance objective of such schemes is to prevent most (if not all) attacks, with minimal computational costs …

When Human Cognitive Modeling Meets Pins: User-Independent Inter-Keystroke Timing Attacks, Ximing Liu, Yingjiu Li, Robert H. Deng, Bing Chang, Shujun Li

Research Collection School Of Computing and Information Systems

This paper proposes the first user-independent inter-keystroke timing attacks on PINs. Our attack method is based on an inter-keystroke timing dictionary built from a human cognitive model whose parameters can be determined by a small amount of training data on any users (not necessarily the target victims). Our attacks can thus be potentially launched on a large scale in real-world settings. We investigate inter-keystroke timing attacks in different online attack settings and evaluate their performance on PINs at different strength levels. Our experimental results show that the proposed attack performs significantly better than random guessing attacks. We further demonstrate that …

Blockchain Based Efficient And Robust Fair Payment For Outsourcing Services In Cloud Computing, Yinghui Zhang, Robert H. Deng, Ximeng Liu, Dong Zheng

Research Collection School Of Computing and Information Systems

As an attractive business model of cloud computing, outsourcing services usually involve online payment and security issues. The mutual distrust between users and outsourcing service providers may severely impede the wide adoption of cloud computing. Nevertheless, most existing payment solutions only consider a specific type of outsourcing service and rely on a trusted third-party to realize fairness. In this paper, in order to realize secure and fair payment of outsourcing services in general without relying on any third-party, trusted or not, we introduce BCPay, a blockchain based fair payment framework for outsourcing services in cloud computing. We first present the …

Performance Characterization Of Deep Learning Models For Breathing-Based Authentication On Resource-Constrained Devices, Jagmohan Chauhan, Jathusan Rajasegaran, Surang Seneviratne, Archan Misra, Aruan Seneviratne, Youngki Lee

Research Collection School Of Computing and Information Systems

Providing secure access to smart devices such as mobiles, wearables and various other IoT devices is becoming increasinglyimportant, especially as these devices store a range of sensitive personal information. Breathing acoustics-based authentication offers a highly usable and possibly a secondary authentication mechanism for such authorized access, especially as it canbe readily applied to small form-factor devices. Executing sophisticated machine learning pipelines for such authenticationon such devices remains an open problem, given their resource limitations in terms of storage, memory and computational power. To investigate this possibility, we compare the performance of an end-to-end system for both user identification anduser verification …

Breathprint: Breathing Acoustics-Based User Authentication, Jagmohan Chauhan, Yining Hu, Suranga Sereviratne, Archan Misra, Aruna Sereviratne, Youngki Lee

Research Collection School Of Computing and Information Systems

We propose BreathPrint, a new behavioural biometric signature based on audio features derived from an individual's commonplace breathing gestures. Specifically, BreathPrint uses the audio signatures associated with the three individual gestures: sniff, normal, and deep breathing, which are sufficiently different across individuals. Using these three breathing gestures, we develop the processing pipeline that identifies users via the microphone sensor on smartphones and wearable devices. In BreathPrint, a user performs breathing gestures while holding the device very close to their nose. Using off-the-shelf hardware, we experimentally evaluate the BreathPrint prototype with 10 users, observed over seven days. We show that users …

What You See Is Not What You Get: Leakage-Resilient Password Entry Schemes For Smart Glasses, Yan Li, Yao Cheng, Yingjiu Li, Robert H. Deng

Research Collection School Of Computing and Information Systems

Smart glasses are becoming popular for users to access various services such as email. To protect these services, password-based user authentication is widely used. Unfortunately, the password based user authentication has inherent vulnerability against password leakage. Many efforts have been put on designing leakage resilient password entry schemes on PCs and mobile phones with traditional input equipment including keyboards and touch screens. However, such traditional input equipment is not available on smart glasses. Existing password entry on smart glasses relies on additional PCs or mobile devices. Such solutions force users to switch between different systems, which causes interrupted experience and …

Trustworthy Authentication On Scalable Surveillance Video With Background Model Support, Zhuo Wei, Zheng Yan, Yongdong Wu, Robert H. Deng

Research Collection School Of Computing and Information Systems

H.264/SVC (Scalable Video Coding) codestreams, which consist of a single base layer and multiple enhancement layers, are designed for quality, spatial, and temporal scalabilities. They can be transmitted over networks of different bandwidths and seamlessly accessed by various terminal devices. With a huge amount of video surveillance and various devices becoming an integral part of the security infrastructure, the industry is currently starting to use the SVC standard to process digital video for surveillance applications such that clients with different network bandwidth connections and display capabilities can seamlessly access various SVC surveillance (sub)codestreams. In order to guarantee the trustworthiness and …

Towards Secure Online Distribution Of Multimedia Codestreams, Swee Won Lo

Dissertations and Theses Collection (Open Access)

Multimedia codestreams distributed through open and insecure networks are subjected to attacks such as malicious content tampering and unauthorized accesses. This dissertation first addresses the issue of authentication as a mean to integrity - protect multimedia codestreams against malicious tampering. Two cryptographic-based authentication schemes are proposed to authenticate generic scalable video codestreams with a multi-layered structure. The first scheme combines the salient features of hash-chaining and double error correction coding to achieve loss resiliency with low communication overhead and proxy-transparency. The second scheme further improves computation cost by replacing digital signature with a hash-based message authentication code to achieve packet-level …

Analysis And Improvement On A Biometric-Based Remote User Authentication Scheme Using Smart Cards, Fengtong Wen, Willy Susilo, Guomin Yang

Research Collection School Of Computing and Information Systems

In a recent paper (BioMed Research International, 2013/491289), Khan et al. proposed an improved biometrics-based remote user authentication scheme with user anonymity. The scheme is believed to be secure against password guessing attack, user impersonation attack, server masquerading attack, and provide user anonymity, even if the secret information stored in the smart card is compromised. In this paper, we analyze the security of Khan et al.’s scheme, and demonstrate that their scheme doesn’t provide user anonymity. This also renders that their scheme is insecure against other attacks, such as off-line password guessing attack, user impersonation attacks. Subsequently, we propose a …

Technique For Authenticating H.264/Svc And Its Performance Evaluation Over Wireless Mobile Networks, Yifan Zhao, Swee Won Lo, Robert H. Deng, Xuhua Ding

Research Collection School Of Computing and Information Systems

In this paper, a bit stream-based authentication scheme for H.264/Scalable Video Coding (SVC) is proposed. The proposed scheme seamlessly integrates cryptographic algorithms and Erasure Correction Codes (ECCs) to SVC video streams such that the authenti- cated streams are format compliant with the SVC specifications and preserve the three- dimensional scalability (i.e., spatial, quality and temporal) of the original streams. We implement our scheme on a smart phone and study its performance over a realistic bursty packet-lossy wireless mobile network. Our analysis and experimental results show that the scheme achieves very high verification rates with lower communication overhead and much smaller …

Keystroke Biometrics: The User Perspective, Chee Meng Tey, Payas Gupta, Kartik Muralidaran, Debin Gao

Research Collection School Of Computing and Information Systems

Usability is an important aspect of security, because poor usability motivates users to find shortcuts that bypass the system. Existing studies on keystroke biometrics evaluate the usability issue in terms of the average false rejection rate (FRR). We show in this paper that such an approach underestimates the user impact in two ways. First, the FRR of keystroke biometrics changes for the worse under a range of common conditions such as background music, exercise and even game playing. In a user study involving 111 participants, the average penalties (increases) in FRR are 0.0360 and 0.0498, respectively, for two different classifiers. …

A Secure And Effective Anonymous User Authentication Scheme For Roaming Service In Global Mobility Networks, Fengtong Wen, Willy Susilo, Guomin Yang

Research Collection School Of Computing and Information Systems

In global mobility networks, anonymous user authentication is an essential task for enabling roaming service. In a recent paper, Jiang et al. proposed a smart card based anonymous user authentication scheme for roaming service in global mobility networks. This scheme can protect user privacy and is believed to have many abilities to resist a range of network attacks, even if the secret information stored in the smart card is compromised. In this paper, we analyze the security of Jiang et al.’s scheme, and show that the scheme is in fact insecure against the stolen-verifier attack and replay attack. Then, we …

Technique For Authenticating H.264/Svc Streams In Surveillance Applications, Wei Zhuo, Robert H. Deng, Jialie Shen, Yongdong Wu, Xuhua Ding, Swee Won Lo

Research Collection School Of Computing and Information Systems

Surveillance codestreams coded by H.264/SVC (scalable video coding), which consists of one base layer and one or more enhancement layers, supply flexible and various quality, resolution, and temporal (sub)codestreams such that clients with different network bandwidth and terminal devices can seamlessly access them. In this paper, we present a robust authentication scheme for them in order to insure the integrity of SVC surveillance codestreams, named AUSSC (Authenticating SVC Surveillance Codestreams). AUSSC exploits cryptographic-based authentication for base layer and content-based authentication for enhancement layers. For content-based authentication, AUSSC extracts full features from the first frame of each GOP (group of picture) …

Exploiting Human Factors In User Authentication, Payas Gupta

Dissertations and Theses Collection (Open Access)

Our overarching issue in security is the human factor – and dealing with it is perhaps one of the biggest challenges we face today. Human factor is often described as the weakest part of a security system and users are often described as the weakest link in the security chain. In this thesis, we focus on two problems which are caused by human factors in user authentication and propose respective solutions. a) Secrecy information inference attack – publicly available information can be used to infer some secrecy information about the user. b) Coercion attack – where an attacker forces a …

An Improved Authentication Scheme For H.264/Svc And Its Performance Evaluation Over Non-Stationary Wireless Mobile Networks, Yifan Zhao, Swee-Won Lo, Robert H. Deng, Xuhua Ding

Research Collection School Of Computing and Information Systems

In this paper, a bit stream-based authentication scheme for H.264/Scalable Video Coding (SVC) is proposed. The proposed scheme seamlessly integrates cryptographic algorithms and erasure correction codes (ECCs) to SVC video streams such that the authenticated streams are format compliant with the SVC specifications and preserve the three dimensional scalability (i. e., spatial, quality and temporal) of the original streams. We implement our scheme on a smart phone and study its performance over a realistic bursty packet-lossy wireless mobile network. Our analysis and experimental results show that the scheme achieves very high verification rates with lower communication overhead and much smaller …

Coercion Resistance In Authentication Responsibility Shifting, Payas Gupta, Xuhua Ding, Debin Gao

Research Collection School Of Computing and Information Systems

Responsibility shifting, a popular solution used in the event of failure of primary authentication where a human helper is involved in regaining access, is vulnerable to coercion attacks. In this work, we report our user study which investigates the helper’s emotional status when being coerced to assist in an attack. Results show that the coercion causes involuntary skin conductance fluctuation on the helper, which indicates that he/she is nervous and stressed. This response can be used to strengthen the security of the authentication system by providing coercion resistance.

Vulnerability Analysis Of Rfid Protocols For Tag Ownership Transfer, Pedro Peris-Lopez, Julio Hernandez-Castro, Juan Tapiador, Tieyan Li, Yingjiu Li

Research Collection School Of Computing and Information Systems

In RFIDSec’08, Song proposed an ownership transfer scheme, which consists of an ownership transfer protocol and a secret update protocol [7]. The ownership transfer protocol is completely based on a mutual authentication protocol proposed in WiSec’08 [8]. In Rizomiliotis et al. (2009) [6], van Deursen and Radomirovic (2008), the first weaknesses to be identified (tag and server impersonation) were addressed and this paper completes the consideration of them all. We find that the mutual authentication protocol, and therefore the ownership transfer protocol, possesses certain weaknesses related to most of the security properties initially required in protocol design: tag information leakage, …

On The Untraceability Of Anonymous Rfid Authentication Protocol With Constant Key-Lookup, Bing Liang, Yingjiu Li, Tieyan Li, Robert H. Deng

Research Collection School Of Computing and Information Systems

In ASIACCS'08, Burmester, Medeiros and Motta proposed an anonymous RFID authentication protocol (BMM protocol [2]) that preserves the security and privacy properties, and achieves better scalability compared with other contemporary approaches. We analyze BMM protocol and find that some of security properties (especial untraceability) are not fulfilled as originally claimed. We consider a subtle attack, in which an adversary can manipulate the messages transmitted between a tag and a reader for several continuous protocol runs, and can successfully trace the tag after these interactions. Our attack works under a weak adversary model, in which an adversary can eavesdrop, intercept and …

Secure Mobile Agents With Designated Hosts, Qi Zhang, Yi Mu, Minji Zhang, Robert H. Deng

Research Collection School Of Computing and Information Systems

Mobile agents often travel in a hostile environment where their security and privacy could be compromised by any party including remote hosts in which agents visit and get services. It was proposed in the literature that the host visited by an agent should jointly sign a service agreement with the agent's home, where a proxy-signing model was deployed and every host in the agent system can sign. We observe that this actually poses a serious problem in that a host that should be excluded from an underlying agent network could also send a signed service agreement. In order to solve …

Flexible Access Control To Jpeg 2000 Image Code-Streams, Yongdong Wu, Di Ma, Robert H. Deng

Research Collection School Of Computing and Information Systems

JPEG 2000 is an international standard for still image compression in the 21st century. Part 8 of the standard, named JPSEC, is concerned with all the security aspects, in particular to access control and authentication. This paper presents a novel access control scheme for JPEG 2000 image code-streams. The proposed scheme is secure against collusion attacks and highly efficient. The scheme is also very flexible, allowing access control to JPEG 2000 image code-streams according to any combination of resolution, quality layer and region of interest. The "encrypt once, decrypt many ways" property of our scheme is designed to work seamlessly …

Authenticating Query Results In Data Publishing, Di Ma, Robert H. Deng, Hwee Hwa Pang, Jianying Zhou

Research Collection School Of Computing and Information Systems

We propose a communication-efficient authentication scheme to authenticate query results disseminated by untrusted data publishing servers. In our scheme, signatures of multiple tuples in the result set are aggregated into one and thus the communication overhead incurred by the signature keeps constant. Next attr-MHTs (tuple based Merkle Hash Tree) are built to further reduce the communication overhead incurred by auxiliary authentication information (AAI). Besides the property of communication-efficiency, our scheme also supports dynamic SET operations (UNION, INTERSECTION) and dynamic JOIN with immunity to reordering attack.

Security Analysis And Improvement Of Return Routability Protocol, Ying Qiu, Jianying Zhou, Robert H. Deng

Research Collection School Of Computing and Information Systems

Mobile communication plays a more and more important role in computer networks. How to authenticate a new connecting address belonging to a said mobile node is one of the key issues in mobile networks. This paper analyzes the Return Routability (RR) protocol and proposes an improved security solution for the RR protocol without changing its architecture. With the improvement, three types of redirect attacks can be prevented.

Breaking Public Key Cryptosystems On Tamper Resistant Devices In The Presence Of Transient Faults, Feng Bao, Robert H. Deng, Y. Han, A. Jeng, Arcot Desai Narasimhalu, T. Ngair

Research Collection School Of Computing and Information Systems

In this paper we present a method of attacking public-key cryptosystems (PKCs) on tamper resistant devices. The attack makes use of transient faults and seems applicable to many types of PKCs. In particular, we show how to attack the RSA, the E1Gamal signature scheme, the Schnorr signature scheme, and the DSA. We also present some possible methods to counter the attack.