Information Security Commons^™

Authenticated Key Exchange Under Bad Randomness, Guomin Yang, Shanshan Duan, Duncan S. Wong, Chik How Tan, Huaxiong Wang

Research Collection School Of Computing and Information Systems

We initiate the formal study on authenticated key exchange (AKE) under bad randomness. This could happen when (1) an adversary compromises the randomness source and hence directly controls the randomness of each AKE session; and (2) the randomness repeats in different AKE sessions due to reset attacks. We construct two formal security models, Reset-1 and Reset-2, to capture these two bad randomness situations respectively, and investigate the security of some widely used AKE protocols in these models by showing that they become insecure when the adversary is able to manipulate the randomness. On the positive side, we propose simple but …

Certificateless Public Key Encryption: A New Generic Construction And Two Pairing-Free Schemes, Guomin Yang, Chik How Tan

Research Collection School Of Computing and Information Systems

The certificateless encryption (CLE) scheme proposed by Baek, Safavi-Naini and Susilo is computation-friendly since it does not require any pairing operation. Unfortunately, an error was later discovered in their security proof and so far the provable security of the scheme remains unknown. Recently, Fiore, Gennaro and Smart showed a generic way (referred to as the FGS transformation) to transform identity-based key agreement protocols to certificateless key encapsulation mechanisms (CL-KEMs). As a typical example, they showed that the pairing-free CL-KEM underlying Baek et al.’s CLE can be “generated” by applying their transformation to the Fiore–Gennaro (FG) identity-based key agreement (IB-KA) protocol.In …

Chameleon All-But-One Tdfs And Their Application To Chosen-Ciphertext Security, Junzuo Lai, Robert H. Deng, Shengli Liu

Research Collection School Of Computing and Information Systems

In STOC’08, Peikert and Waters introduced a new powerful primitive called lossy trapdoor functions (LTDFs) and a richer abstraction called all-but-one trapdoor functions (ABO-TDFs). They also presented a black-box construction of CCA-secure PKE from an LTDF and an ABO-TDF. An important component of their construction is the use of a strongly unforgeable one-time signature scheme for CCA-security.In this paper, we introduce the notion of chameleon ABO-TDFs, which is a special kind of ABO-TDFs. We give a generic as well as a concrete construction of chameleon ABO-TDFs. Based on an LTDF and a chameleon ABO-TDF, we presented a black-box construction, free …

Secure Mobile Subscription Of Sensor-Encrypted Data, Cheng-Kang Chu, Wen-Tao Zhu, Sherman S. M. Chow, Jianying Zhou, Robert H. Deng

Research Collection School Of Computing and Information Systems

In an end-to-end encryption model for a wireless sensor network (WSN), the network control center preloads encryption and decryption keys to the sensor nodes and the subscribers respectively, such that a subscriber can use a mobile device in the deployment field to decrypt the sensed data encrypted by the more resource-constrained sensor nodes. This paper proposes SMS-SED, a provably secure yet practically efficient key assignment system featuring a discrete time-based access control, to better support a business model where the sensors deployer rents the WSN to customers who desires a higher flexibility beyond subscribing to strictly consecutive periods. In SMS-SED, …

Fraud Detection In Online Consumer Reviews, Nan Hu, Ling Liu, Vallbh Sambamurthy

Research Collection School Of Computing and Information Systems

Increasingly, consumers depend on social information channels, such as user-posted online reviews, to make purchase decisions. These reviews are assumed to be unbiased reflections of other consumers' experiences with the products or services. While extensively assumed, the literature has not tested the existence or non-existence of review manipulation. By using data from Amazon and Barnes & Noble, our study investigates if vendors, publishers, and writers consistently manipulate online consumer reviews. We document the existence of online review manipulation and show that the manipulation strategy of firms seems to be a monotonically decreasing function of the product's true quality or the …

Fraud Detection In Online Consumer Reviews, Nan Hu, Ling Liu, Vallabh Sambamurthy

Research Collection School Of Computing and Information Systems

Increasingly, consumers depend on social information channels, such as user-posted online reviews, to make purchase decisions. These reviews are assumed to be unbiased reflections of other consumers' experiences with the products or services. While extensively assumed, the literature has not tested the existence or non-existence of review manipulation. By using data from Amazon and Barnes & Noble, our study investigates if vendors, publishers, and writers consistently manipulate online consumer reviews. We document the existence of online review manipulation and show that the manipulation strategy of firms seems to be a monotonically decreasing function of the product's true quality or the …

Cryptanalysis Of A Certificateless Signcryption Scheme In The Standard Model, Jian Weng, Guoxiang Yao, Robert H. Deng, Min-Rong Chen, Xianxue Li

Research Collection School Of Computing and Information Systems

Certificateless signcryption is a useful primitive which simultaneously provides the functionalities of certificateless encryption and certificateless signature. Recently, Liu et al. [15] proposed a new certificateless signcryption scheme, and claimed that their scheme is provably secure without random oracles in a strengthened security model, where the malicious-but-passive KGC attack is considered. Unfortunately, by giving concrete attacks, we indicate that Liu et al. certificateless signcryption scheme is not secure in this strengthened security model.

Database Access Pattern Protection Without Full-Shuffles, Xuhua Ding, Yanjiang Yang, Robert H. Deng

Research Collection School Of Computing and Information Systems

Privacy protection is one of the fundamental security requirements for database outsourcing. A major threat is information leakage from database access patterns generated by query executions. The standard private information retrieval (PIR) schemes, which are widely regarded as theoretical solutions, entail O(n) computational overhead per query for a database with items. Recent works propose to protect access patterns by introducing a trusted component with constant storage size. The resulting privacy assurance is as strong as PIR, though with O(1) online computation cost, they still have O(n) amortized cost per query due to periodically full database shuffles. In this paper, we …

Efficient And Expressive Fully Secure Attribute-Based Signature In The Standard Model, Piyi Yang, Tanveer A. Zia, Zhenfu Cao, Xiaolei Dong

Australian Information Security Management Conference

Designing a fully secure (adaptive-predicate unforgeable and perfectly private) attribute-based signature (ABS), which allows a signer to choose a set of attributes in stead of a single string representing the signer‘s identity, under standard cryptographic assumption in the standard model is a challenging problem. Existing schemes are either too complicated or only proved in the generic group model. In this paper, we present an efficient fully secure ABS scheme in the standard model based on q-parallel BDHE assumption which is more practical than the generic group model used in the previous scheme. To the best of our knowledge, our scheme …

A Risk Index Model For Security Incident Prioritisation, Nor Badrul Anuar, Steven Furnell, Maria Papadaki, Nathan Clarke

Australian Information Security Management Conference

With thousands of incidents identified by security appliances every day, the process of distinguishing which incidents are important and which are trivial is complicated. This paper proposes an incident prioritisation model, the Risk Index Model (RIM), which is based on risk assessment and the Analytic Hierarchy Process (AHP). The model uses indicators, such as criticality, maintainability, replaceability, and dependability as decision factors to calculate incidents’ risk index. The RIM was validated using the MIT DARPA LLDOS 1.0 dataset, and the results were compared against the combined priorities of the Common Vulnerability Scoring System (CVSS) v2 and Snort Priority. The experimental …

Understanding The Management Of Information Security Controls In Practice, Daniel Bachlechner, Ronald Maier, Frank Innerhofer-Oberperfler, Lukas Demetz

Australian Information Security Management Conference

The ever greater reliance on complex information technology environments together with dynamically changing threat scenarios and increasing compliance requirements make an efficient and effective management of information security controls a key concern for most organizations. Good practice collections such as COBIT and ITIL as well as related standards such as the ones belonging to the ISO/IEC 27000 family provide useful starting points for control management. However, neither good practice collections and standards nor scholarly literature explain how the management of controls actually is performed in organizations or how the current state-of-practice can be improved. A series of interviews with information …

Seniors Language Paradigms: 21st Century Jargon And The Impact On Computer Security And Financial Transactions For Senior Citizens, David M. Cook, Patryk Szewczyk, Krishnun Sansurooah

Australian Information Security Management Conference

Senior Citizens represent a unique cohort of computer users insomuch as they have come to the field of computer usage later in life, as novices compared to other users. As a group they exhibit a resentment, mistrust and ignorance towards cyber related technology that is born out of their educational and social experiences prior to widespread information technology. The shift from analogue to digital proficiency has been understated for a generation of citizens who were educated before computer usage and internet ubiquity. This paper examines the language difficulties encountered by senior citizens in attempting to engage in banking and communications …

An Agile It Security Model For Project Risk Assessment, Damien Hutchinson, Heath Maddern, Jason Wells

Australian Information Security Management Conference

There are two fundamental challenges in effectively performing security risk assessment in today's IT projects. The first is the project manager's need to know what IT security risks face the project before the project begins. At this stage IT security staff are unable to answer this question without first knowing the system requirements for the project which are yet to be defined. Second organisations that deal with a large project throughput each year find the current IT security risk assessment process to be tedious and expensive, especially when the same process has to be repeated for each individual project. This …

Security Aspects Of Sensor-Based Defence Systems, Michael N. Johnstone

Australian Information Security Management Conference

The Australian Defence Force (ADF) has IMAP and JMAP to perform planning prior to the deployment of forces, but there is a knowledge gap for on-ground forces during the execution of an operation. Multi-agent based sensor systems can provide on-ground forces with a significant amount of real-time information that can be used to modify planning due to changed conditions. The issue with such sensor systems is the degree to which they are vulnerable to attack by opposing forces. This paper explores the types of attack that could be successful and proposes defences that could be put in place to circumvent …

An Empirical Study Of Challenges In Managing The Security In Cloud Computing, Bupesh Mansukhani, Tanveer A. Zia

Australian Information Security Management Conference

Cloud computing is being heralded as an important trend in information technology throughout the world. Benefits for business and IT include reducing costs and increasing productivity. The downside is that many organizations are moving swiftly to the cloud without making sure that the information they put in the cloud is secure. The purpose of this paper is to learn from IT and IT security practitioners in the Indian Continent the current state of cloud computing security in their organizations and the most significant changes anticipated by respondents as computing resources migrate from on-premise to the cloud. As organizations grapple with …

Stakeholders In Security Policy Development, S B. Maynard, A B. Ruighaver, A Ahmad

Australian Information Security Management Conference

The Information Security Policy (ISP) of an organisation is expected to specify for employees their behaviour towards security, and the security ethos of the organisation. However, there are a wide range of opinions and expertise that should be considered by organisations when developing an ISP. This paper aims to identify the stakeholders that should be utilised in an ISP development process and how this may differ based on organisational size. The research identifies from literature nine stakeholder roles that are suggested to be required in an ISP development process. Contextual interviews are then used to validate these nine stakeholder roles …

An Exploratory Study Of Erm Perception In Oman And Proposing A Maturity Model For Risk Optimization, Arun N. Shivashankarappa, D Ramalingam, Leonid Smalov, N Anbazhagan

Australian Information Security Management Conference

Enterprise Risk management is a process vital to enterprise governance which has gained tremendous momentum in modern business due to the dynamic nature of threats, vulnerability and stringent regulatory requirements. The business owners have realized that, risk creates opportunity which in turn creates value. Identifying and mitigating risk proactively across the enterprise is the purview of Enterprise Risk Management (ERM).However, key errors in the ERM process such as misinterpretation of statistical data, overlooking change management, inadequate attention to supply chain interdependencies, excessive trust of insiders and business partners, ambiguous grouping of risks and poor documentation has contributed significantly to the …

Help Or Hindrance: The Practicality Of Applying Security Standards In Healthcare, Patricia A H Williams

Australian Information Security Management Conference

The protection of patient information is now more important as a national e-health system approaches reality in Australia. The major challenge for health care providers is to understand the importance information security whilst also incorporating effective protection into established workflow and daily activity. Why then, when it is difficult for IT and security professionals to navigate through and apply the myriad of information security standards, do we expect small enterprises such as primary health care providers to also be able to do this. This is an onerous and impractical task without significant assistance. In the development of the new Computer …

A Comparison Of Forensic Evidence Recovery: Techniques For A Windows Mobile Smart Phone, George Grispos, Tim Storer, William Bradley Glisson

Interdisciplinary Informatics Faculty Publications

Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation.

A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent.

This paper …

Behaviour Profiling For Transparent Authentication For Mobile Devices, Fudong Li, Nathan Clarke, Maria Papadaki, Paul Dowland

Research outputs 2011

Since the first handheld cellular phone was introduced in 1970s, the mobile phone has changed significantly both in terms of popularity and functionality. With more than 4.6 billion subscribers around the world, it has become a ubiquitous device in our daily life. Apart from the traditional telephony and text messaging services, people are enjoying a much wider range of mobile services over a variety of network connections in the form of mobile applications. Although a number of security mechanisms such as authentication, antivirus, and firewall applications are available, it is still difficult to keep up with various mobile threats (i.e. …