Physical Sciences and Mathematics Commons^™

An Efficient And Expressive Ciphertext-Policy Attribute-Based Encryption Scheme With Partially Hidden Access Structures, Revisited, Hui Cui, Robert H. Deng, Junzuo Lai, Xun Yi, Surya Nepal

Research Collection School Of Computing and Information Systems

Ciphertext-policy attribute-based encryption (CP-ABE) has been regarded as one of the promising solutions to protect data security and privacy in cloud storage services. In a CP-ABE scheme, an access structure is included in the ciphertext, which, however, may leak sensitive information about the underlying plaintext and the privileged recipients in that anyone who sees the ciphertext is able to learn the attributes of the privileged recipients from the associated access structure. In order to address this issue, CP-ABE with partially hidden access structures was introduced where each attribute is divided into an attribute name and an attribute value and the …

Sclib: A Practical And Lightweight Defense Against Component Hijacking In Android Applications, Daoyuan Wu, Yao Cheng, Debin Gao, Yingjiu Li, Robert H. Deng

Research Collection School Of Computing and Information Systems

Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can escalate its privilege for operations originally prohibited. Many prior studies have been performed to understand and mitigate this issue, but no defense is being deployed in the wild, largely due to the deployment difficulties and performance concerns. In this paper we present SCLib, a secure component library that performs in-app mandatory access control on behalf of app …

Secure Fine-Grained Access Control And Data Sharing For Dynamic Groups In The Cloud, Shengmin Xu, Guomin Yang, Yi Mu, Robert H. Deng

Research Collection School Of Computing and Information Systems

Cloud computing is an emerging computing paradigm that enables users to store their data in a cloud server to enjoy scalable and on-demand services. Nevertheless, it also brings many security issues, since cloud service providers (CSPs) are not in the same trusted domain as users. To protect data privacy against untrusted CSPs, existing solutions apply cryptographic methods (e.g., encryption mechanisms) and provide decryption keys only to authorized users. However, sharing cloud data among authorized users at a fine-grained level is still a challenging issue, especially when dealing with dynamic user groups. In this paper, we propose a secure and efficient …

Attribute-Based Cloud Storage With Secure Provenance Over Encrypted Data, Hui Cui, Robert H. Deng, Yingjiu Li

Research Collection School Of Computing and Information Systems

To securely and conveniently enjoy the benefits of cloud storage, it is desirable to design a cloud data storage system which protects data privacy from storage servers through encryption, allows fine-grained access control such that data providers can expressively specify who are eligible to access the encrypted data, enables dynamic user management such that the total number of data users is unbounded and user revocation can be carried out conveniently, supports data provider anonymity and traceability such that a data provider’s identity is not disclosed to data users in normal circumstances but can be traced by a trusted authority if …

A Lightweight Policy Preserving Ehr Sharing Scheme In The Cloud, Zuobin Ying, Lu Wei, Qi Li, Ximeng Liu, Jie Cui

Research Collection School Of Computing and Information Systems

Electronic Health Record (EHR) is a digital health documentary. It contains not only the health-related records but also the personal sensitive information. Therefore, how to reliably share EHR through the cloud is a challenging issue. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptography prototype, which can achieve fine-grained access control as well as one-to-many encryption. In CP-ABE, access policy is attached to the ciphertext, and however, the access policy is not protected, which will also cause some privacy leakage. In this paper, we propose a policy preserving EHR system on the basis of CP-ABE. Specifically, we designed an algorithm, which …

Attribute-Based Encryption With Expressive And Authorized Keyword Search, Hui Cui, Robert H. Deng, Joseph K. Liu, Yingjiu Li

Research Collection School Of Computing and Information Systems

To protect data security and privacy in cloud storage systems, a common solution is to outsource data in encrypted forms so that the data will remain secure and private even if storage systems are compromised. The encrypted data, however, must be pliable to search and access control. In this paper, we introduce a notion of attribute-based encryption with expressive and authorized keyword search (ABE-EAKS) to support both expressive keyword search and fine-grained access control over encrypted data in the cloud. In ABE-EAKS, every data user is associated with a set of attributes and is issued a private attribute-key corresponding to …

Towards Automatic Repair Of Xacml Policies, Shuai Peng

Boise State University Theses and Dissertations

In a complex information system, controlling the access to resources is challenging. As a new generation of access control techniques, Attribute-Based Access Control (ABAC) can provide more flexible and fine-grained access control than Role-Based-Access Control (RBAC). XACML (eXtensible Access Control Markup Language) is an industrial standard for specifying ABAC policies. XACML policies tend to be complex because of the great variety of attribute types for fine-grained access control. This means that XACML policies are prone to errors and difficult to debug. This paper presents a first attempt at automating the debugging process of XACML policies. Two techniques are used for …

Encrypted Data Processing With Homomorphic Re-Encryption, Wenxiu Ding, Zheng Yan, Robert H. Deng

Research Collection School Of Computing and Information Systems

Cloud computing offers various services to users by re-arranging storage and computing resources. In order to preserve data privacy, cloud users may choose to upload encrypted data rather than raw data to the cloud. However, processing and analyzing encrypted data are challenging problems, which have received increasing attention in recent years. Homomorphic Encryption (HE) was proposed to support computation on encrypted data and ensure data confidentiality simultaneously. However, a limitation of HE is it is a single user system, which means it only allows the party that owns a homomorphic decryption key to decrypt processed ciphertexts. Original HE cannot support …

Protecting Sensitive Data In Clouds Using Active Data Bundles And Agent-Based Secure Multi-Party Computation, Akram Y. Sarhan

Dissertations

Protection of data in cloud computing including distributed environments is a critical concern for many enterprises. This study proposes a solution that protects sensitive data outsourced to a cloud throughout their entire life cycle—both in the cloud as well as outside of the cloud (e.g., during transmission to or from the cloud). The solution enhances the existing data protection approach known as Active Bundle scheme, which uses a Trusted Third Party (ABTTP).

The Active Data Bundle (ADB) was formerly called an Active Bundle (AB). It is a software construct that encapsulates data, metadata, and a virtual machine (VM). The metadata …

Tradeoffs In Protocol Designs For Collaborative Authentication, Jacob Venne

USF Tampa Graduate Theses and Dissertations

Authentication is a crucial tool used in access control mechanisms to verify a user’s identity. Collaborative Authentication (co-authentication) is a newly proposed authentication scheme designed to improve on traditional token authentication. Co-authentication works by using multiple user devices as tokens to collaborate in a challenge and authenticate a user request on single device.

This thesis adds two contributions to the co-authentication project. First, a detailed survey of applications that are suitable for adopting co-authentication is presented. Second, an analysis of tradeoffs between varying protocol designs of co-authentication is performed to determine whether, and how, any designs are superior to other …

Initial Comparative Empirical Usability Testing For The Collaborative Authentication System, Kim Bursum

USF Tampa Graduate Theses and Dissertations

The Collaborative Authentication (co-authentication) system is an authentication system that relies on some or all members of a pre-registered set of secure hardware tokens being concurrently present to an authentication server at the moment of authentication. Previous researchers have compared various embodiments of the co-authentication system to each other including using Quick Response (QR) codes/cellphone cameras and Near Field Communication (NFC) between tokens. This thesis concerns the initial design and implementation of empirical comparative testing mechanisms between one embodiment of the co-authentication system and other commonly used authentication systems. One contribution is the simulated standard user ID and password login …

Deduplication On Encrypted Big Data In Cloud, Zheng Yan, Wenxiu Ding, Xixun Yu, Haiqi Zhu, Deng, Robert H.

Research Collection School Of Computing and Information Systems

Cloud computing offers a new way of service provision by re-arranging various resources over the Internet. The most important and popular cloud service is data storage. In order to preserve the privacy of data holders, data are often stored in cloud in an encrypted form. However, encrypted data introduce new challenges for cloud data deduplication, which becomes crucial for big data storage and processing in cloud. Traditional deduplication schemes cannot work on encrypted data. Existing solutions of encrypted data deduplication suffer from security weakness. They cannot flexibly support data access control and revocation. Therefore, few of them can be readily …

Towards Secure Online Distribution Of Multimedia Codestreams, Swee Won Lo

Dissertations and Theses Collection (Open Access)

Multimedia codestreams distributed through open and insecure networks are subjected to attacks such as malicious content tampering and unauthorized accesses. This dissertation first addresses the issue of authentication as a mean to integrity - protect multimedia codestreams against malicious tampering. Two cryptographic-based authentication schemes are proposed to authenticate generic scalable video codestreams with a multi-layered structure. The first scheme combines the salient features of hash-chaining and double error correction coding to achieve loss resiliency with low communication overhead and proxy-transparency. The second scheme further improves computation cost by replacing digital signature with a hash-based message authentication code to achieve packet-level …

Developing A Compiler For A Regular Expression Based Policy Specification Language, Cory Michael Juhlin

USF Tampa Graduate Theses and Dissertations

Security policy specification languages are a response to today's complex and vulnerable software climate. These languages allow an individual or organization to restrict and modify the behavior of third-party applications such that they adhere to the rules specified in the policy. As software grows in complexity, so do the security policies that govern them. Existing policy specification languages have not adapted to the growing complexity of the software they govern and as a result do not scale well, often resulting in code that is overly complex or unreadable. Writing small, isolated policies as separate modules and combining them is known …

Authentication Via Multiple Associated Devices, Jean-Baptiste Subils

USF Tampa Graduate Theses and Dissertations

This thesis presents a practical method of authentication utilizing multiple devices. The factors contributing to the practicality of the method are: the utilization of devices already commonly possessed by users and the amenability to being implemented on a wide variety of devices. The term “device” refers to anything able to perform cryptographic operations, store data, and communicate with another such device.

In the method presented herein, multiple devices need to be associated with a single user to provide this user an identity in the system. A public key infrastructure is used to provide this identity. Each of the devices associated …

Design And Implementation Of Digital Information Security For Physical Documents, Pengcheng Wang

Masters Theses

The objective of this thesis is to improve the security for physical paper documents. Providing information security has been difficult in environments that rely on physical paper documents to implement business processes. Our work presents the design of a digital information security system for paper documents, called "CryptoPaper", that uses 2-dimensional codes to represent data and its security properties on paper. A special scanner system is designed for "CryptoPaper" which uses image recognition techniques and cloud-based access control to display plaintext of encrypted and encoded data to authorized users.

Multidimensional Context Awareness In Mobile Devices, Zhuo Wei, Robert H. Deng, Jialie Shen, Jixiang Zhu, Kun Ouyang, Yongdong Wu

Research Collection School Of Computing and Information Systems

With the increase of mobile computation ability and the development of wireless network transmission technology, mobile devices not only are the important tools of personal life (e.g., education and entertainment), but also emerge as indispensable "secretary" of business activities (e.g., email and phone call). However, since mobile devices could work under complex and dynamic local and network conditions, they are vulnerable to local and remote security attacks. In real applications, different kinds of data protection are required by various local contexts. To provide appropriate protection, we propose a multidimensional context (MContext) scheme to comprehensively model and characterize the scene and …

Design, Testing And Implementation Of A New Authentication Method Using Multiple Devices, Cagri Cetin

USF Tampa Graduate Theses and Dissertations

Authentication protocols are very common mechanisms to confirm the legitimacy of someone’s or something’s identity in digital and physical systems.

This thesis presents a new and robust authentication method based on users’ multiple devices. Due to the popularity of mobile devices, users are becoming more likely to have more than one device (e.g., smartwatch, smartphone, laptop, tablet, smart-car, smart-ring, etc.). The authentication system presented here takes advantage of these multiple devices to implement authentication mechanisms. In particular, the system requires the devices to collaborate with each other in order for the authentication to succeed. This new authentication protocol is robust …

Framework To Implement Authentication, Authorization And Secure Communications In A Multiuser Collaborative Cax Environment, Francis Mensah

Theses and Dissertations

Computer Aided Design (CAD) applications have historically been based on a single user per application architecture. Although this architecture is still popular to date, it does have several drawbacks. First of all the single user CAD architecture inhibits a concurrent engineering design process where several designers can work on the same model simultaneously. This limitation introduces time inefficiency especially when a project involves geographically dispersed designers. A solution to these drawbacks could be a transition from the traditional single user CAD architecture to a multiuser collaborative architecture. Advances in computer networking technologies, especially relating to the Internet, have provided the …

Assessing Vulnerabilities Of Biometric Readers Using An Applied Defeat Evaluation Methodology, David Brooks

David J Brooks Dr.

Access control systems using biometric identification readers are becoming common within critical infrastructure and other high security applications. There is a perception that biometric, due to their ability to identify and validate the user, are more secure. However, biometric systems are vulnerable to many categories of attack vectors and there has been restricted research into such defeat vulnerabilities. This study expands on a past article (Brooks, 2009) that presented a defeat evaluation methodology applied to high-security biometric readers. The defeat methodology is represented, but applied to both fingerprint and back-of-hand biometric readers. Defeat evaluation included both physical and technical integrity …

An Efficient Certificateless Encryption For Secure Data Sharing In Public Clouds, Seung-Hyun Seo, Mohamed Yoosuf Mohamed Nabeel, Xiaoyu Ding, Elisa Bertino

Cyber Center Publications

We propose a mediated certificateless encryption scheme without pairing operations for securely sharing sensitive information in public clouds. Mediated certificateless public key encryption (mCL-PKE) solves the key escrow problem in identity based encryption and certificate revocation problem in public key cryptography. However, existing mCL-PKE schemes are either inefficient because of the use of expensive pairing operations or vulnerable against partial decryption attacks. In order to address the performance and security issues, in this paper, we first propose a mCL-PKE scheme without using pairing operations. We apply our mCL-PKE scheme to construct a practical solution to the problem of sharing sensitive …

Application Of Risk Metrics For Role Mining, Sharmin Ahmed

Electronic Thesis and Dissertation Repository

Incorporating risk consideration in access control systems has recently become a popular research topic. Related to this is risk awareness which is needed to enable access control in an agile and dynamic way. While risk awareness is probably known for an established access control system, being aware of risk even before the access control system is defined can mean identification of users and permissions that are most likely to lead to dangerous or error-prone situations from an administration point of view. Having this information available during the role engineering phase allows data analysts and role engineers to highlight potentially risky …

Permission Based Android Security: Issues And Countermeasures, Zheran Fang, Weili Han, Yingjiu Li

Research Collection School Of Computing and Information Systems

Android security has been a hot spot recently in both academic research and public concerns due to numerous instances of security attacks and privacy leakage on Android platform. Android security has been built upon a permission based mechanism which restricts accesses of third-party Android applications to critical resources on an Android device. Such permission based mechanism is widely criticized for its coarse-grained control of application permissions and difficult management of permissions by developers, marketers, and end-users. In this paper, we investigate the arising issues in Android security, including coarse granularity of permissions, incompetent permission administration, insufficient permission documentation, over-claim of …

A Systematic Security Evaluation Of Android’S Multi-User Framework, Edward Paul Ratazzi, Yousra Aafer, Amit Ahlawat, Hao Hao, Yifei Wang, Wenliang Du

Electrical Engineering and Computer Science - All Scholarship

Like many desktop operating systems in the 1990s, Android is now in the process of including support for multiuser scenarios. Because these scenarios introduce new threats to the system, we should have an understanding of how well the system design addresses them. Since the security implications of multi-user support are truly pervasive, we developed a systematic approach to studying the system and identifying problems. Unlike other approaches that focus on specific attacks or threat models, ours systematically identifies critical places where access controls are not present or do not properly identify the subject and object of a decision. Finding these …

Zebra: Zero-Effort Bilateral Recurring Authentication, Shrirang Mare, Andrés Molina-Markham, Cory Cornelius, Ronald Peterson, David Kotz

Dartmouth Scholarship

Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but …

A Firewall Model Of File System Security, Lihui Hu

Dissertations, Master's Theses and Master's Reports - Open

File system security is fundamental to the security of UNIX and Linux systems since in these systems almost everything is in the form of a file. To protect the system files and other sensitive user files from unauthorized accesses, certain security schemes are chosen and used by different organizations in their computer systems. A file system security model provides a formal description of a protection system. Each security model is associated with specified security policies which focus on one or more of the security principles: confidentiality, integrity and availability. The security policy is not only about “who” can access an …

Access Control Delegation In The Clouds, Pavani Gorantla

Masters Theses

"Current market trends need solutions/products to be developed at high speed. To meet those requirements sometimes it requires collaboration between the organizations. Modern workforce is increasingly distributed, mobile and virtual which will incur hurdles for communication and effective collaboration within organizations. One of the greatest benefits of cloud computing has to do with improvements to organizations communication and collaboration, both internally and externally. Because of the efficient services that are being offered by the cloud service providers today, many business organizations started taking advantage of cloud services. Specifically, Cloud computing enables a new form of service in that a service …

Attribute-Based Access To Scalable Media In Cloud-Assisted Content Sharing, Yongdong Wu, Zhuo Wei, Robert H. Deng

Research Collection School Of Computing and Information Systems

This paper presents a novel Multi-message Ciphertext Policy Attribute-Based Encryption (MCP-ABE) technique, and employs the MCP-ABE to design an access control scheme for sharing scalable media based on data consumers’ attributes (e.g., age, nationality, gender) rather than an explicit list of the consumers’ names. The scheme is efficient and flexible because MCP-ABE allows a content provider to specify an access policy and encrypt multiple messages within one ciphertext such that only the users whose attributes satisfy the access policy can decrypt the ciphertext. Moreover, the paper shows how to support resource-limited mobile devices by offloading computational intensive perations to cloud …

Enforcing Secure And Privacy-Preserving Information Brokering In Distributed Information Sharing, Fengjun Li, Bo Luo, Peng Liu, Dongwon Lee, Chao-Hsien Chu

Research Collection School Of Computing and Information Systems

Today’s organizations raise an increasing need for information sharing via on-demand access. Information brokering systems (IBSs) have been proposed to connect large-scale loosely federated data sources via a brokering overlay, in which the brokers make routing decisions to direct client queries to the requested data servers. Many existing IBSs assume that brokers are trusted and thus only adopt server-side access control for data confidentiality. However, privacy of data location and data consumer can still be inferred from metadata (such as query and access control rules) exchanged within the IBS, but little attention has been put on its protection. In this …

Prevention And Detection Of Intrusions In Wireless Sensor Networks, Ismail Butun

USF Tampa Graduate Theses and Dissertations

Wireless Sensor Networks (WSNs) continue to grow as one of the most exciting and challenging research areas of engineering. They are characterized by severely constrained computational and energy

resources and also restricted by the ad-hoc network operational

environment. They pose unique challenges, due to limited power

supplies, low transmission bandwidth, small memory sizes and limited energy. Therefore, security techniques used in traditional networks cannot be directly adopted. So, new ideas and approaches are needed, in order to increase the overall security of the network. Security applications in such resource constrained WSNs with minimum overhead provides significant challenges, and is the …