The security and privacy of usage policies and provenance logs in an Information Accountability Framework

The potential benefits of shared eHealth records systems are promising for the future of improved healthcare. However, the uptake of such systems is hindered by concerns over the security and privacy of patient information. The use of Information Accountability and so called Accountable-eHealth (AeH) systems has been proposed to balance the privacy concerns of patients with the information needs of healthcare professionals. However, a number of challenges remain before AeH systems can become a reality. Among these is the need to protect the information stored in the usage policies and provenance logs used by AeH systems to define appropriate use of information and hold users accountable for their actions. In this paper, we discuss the privacy and security issues surrounding these accountability mechanisms, define valid access to the information they contain, discuss solutions to protect them, and verify and model an implementation of the access requirements as part of an Information Accountability Framework.

Strategic supply chain management factors influencing agribusiness innovation utilization

Purpose – The purpose of this paper is to examine empirically, an industry development paradox, using embryonic literature in the area of strategic supply chain management, together with innovation management literature. This study seeks to understand how, forming strategic supply chain relationships, and developing strategic supply chain capability, influences beneficial supply chain outcomes expected from utilizing industry-led innovation, in the form of electronic business solutions using the internet, in the Australian beef industry. Findings should add valuable insights to both academics and practitioners in the fields of supply chain innovation management and strategic supply chain management, and expand knowledge to current literature. Design/methodology/approach – This is a quantitative study comparing innovative and non-innovative supply chain operatives in the Australian beef industry, through factor analysis and structural equation modeling using PAWS Statistical V18 and AMOS V18 to analyze survey data from 412 respondents from the Australian beef supply chain. Findings – Key findings are that both innovative and non-innovative supply chain operators attribute supply chain synchronization as only a minor indicator of strategic supply chain capability, contrary to the literature; and they also indicate strategic supply chain capability has a minor influence in achieving beneficial outcomes from utilizing industry-led innovation. These results suggest a lack of coordination between supply chain operatives in the industry. They also suggest a lack of understanding of the benefits of developing a strategic supply chain management competence, particularly in relation to innovation agendas, and provides valuable insights as to why an industry paradox exists in terms of the level of investment in industry-led innovation, vs the level of corresponding benefit achieved. Research limitations/implications – Results are not generalized due to the single agribusiness industry studied and the single research method employed. However, this provides opportunity for further agribusiness studies in this area and also studies using alternate methods, such as qualitative, in-depth analysis of these factors and their relationships, which may confirm results or produce different results. Further, this study empirically extends existing theoretical contributions and insights into the roles of strategic supply chain management and innovation management in improving supply chain and ultimately industry performance while providing practical insights to supply chain practitioners in this and other similar agribusiness industries. Practical implications – These findings confirm results from a 2007 research (Ketchen et al., 2007) which suggests supply chain practice and teachings need to take a strategic direction in the twenty-first century. To date, competence in supply chain management has built up from functional and process orientations rather than from a strategic perspective. This study confirms that there is a need for more generalists that can integrate with various disciplines, particularly those who can understand and implement strategic supply chain management. Social implications – Possible social implications accrue through the development of responsible government policy in terms of industry supply chains. Strategic supply chain management and supply chain innovation management have impacts to the social fabric of nations through the sustainability of their industries, especially agribusiness industries which deal with food safety and security. If supply chains are now the competitive weapon of nations then funding innovation and managing their supply chain competitiveness in global markets requires a strategic approach from everyone, not just the industry participants. Originality/value – This is original empirical research, seeking to add value to embryonic and important developing literature concerned with adopting a strategic approach to supply chain management. It also seeks to add to existing literature in the area of innovation management, particularly through greater understanding of the implications of nations developing industry-wide, industry-led innovation agendas, and their ramifications to industry supply chains.

On the Security of Two RFID Mutual Authentication Protocols

In this paper, the security of two recent RFID mutual authentication protocols are investigated. The first protocol is a scheme proposed by Huang et al. [7] and the second one by Huang, Lin and Li [6]. We show that these two protocols have several weaknesses. In Huang et al.’s scheme, an adversary can determine the 32-bit secret password with a probability of 2−2 , and in Huang-Lin-Li scheme, a passive adversary can recognize a target tag with a success probability of 1−2−4 and an active adversary can determine all 32 bits of Access password with success probability of 2−4 . The computational complexity of these attacks is negligible.

The suffix-free-prefix-free hash function construction and its indifferentiability security analysis

In this paper, we observe that in the seminal work on indifferentiability analysis of iterated hash functions by Coron et al. and in subsequent works, the initial value (IV) of hash functions is fixed. In addition, these indifferentiability results do not depend on the Merkle–Damgård (MD) strengthening in the padding functionality of the hash functions. We propose a generic n -bit-iterated hash function framework based on an n -bit compression function called suffix-free-prefix-free (SFPF) that works for arbitrary IV s and does not possess MD strengthening. We formally prove that SFPF is indifferentiable from a random oracle (RO) when the compression function is viewed as a fixed input-length random oracle (FIL-RO). We show that some hash function constructions proposed in the literature fit in the SFPF framework while others that do not fit in this framework are not indifferentiable from a RO. We also show that the SFPF hash function framework with the provision of MD strengthening generalizes any n -bit-iterated hash function based on an n -bit compression function and with an n -bit chaining value that is proven indifferentiable from a RO.

Security Analysis of Randomize-Hash-then-Sign Digital Signatures

At CRYPTO 2006, Halevi and Krawczyk proposed two randomized hash function modes and analyzed the security of digital signature algorithms based on these constructions. They showed that the security of signature schemes based on the two randomized hash function modes relies on properties similar to the second preimage resistance rather than on the collision resistance property of the hash functions. One of the randomized hash function modes was named the RMX hash function mode and was recommended for practical purposes. The National Institute of Standards and Technology (NIST), USA standardized a variant of the RMX hash function mode and published this standard in the Special Publication (SP) 800-106. In this article, we first discuss a generic online birthday existential forgery attack of Dang and Perlner on the RMX-hash-then-sign schemes. We show that a variant of this attack can be applied to forge the other randomize-hash-then-sign schemes. We point out practical limitations of the generic forgery attack on the RMX-hash-then-sign schemes. We then show that these limitations can be overcome for the RMX-hash-then-sign schemes if it is easy to find fixed points for the underlying compression functions, such as for the Davies-Meyer construction used in the popular hash functions such as MD5 designed by Rivest and the SHA family of hash functions designed by the National Security Agency (NSA), USA and published by NIST in the Federal Information Processing Standards (FIPS). We show an online birthday forgery attack on this class of signatures by using a variant of Dean’s method of finding fixed point expandable messages for hash functions based on the Davies-Meyer construction. This forgery attack is also applicable to signature schemes based on the variant of RMX standardized by NIST in SP 800-106. We discuss some important applications of our attacks and discuss their applicability on signature schemes based on hash functions with ‘built-in’ randomization. Finally, we compare our attacks on randomize-hash-then-sign schemes with the generic forgery attacks on the standard hash-based message authentication code (HMAC).

Improved Security Analysis of Fugue-256 (Poster)

We present some improved analytical results as part of the ongoing work on the analysis of Fugue-256 hash function, a second round candidate in the NIST’s SHA3 competition. First we improve Aumasson and Phans’ integral distinguisher on the 5.5 rounds of the final transformation of Fugue-256 to 16.5 rounds. Next we improve the designers’ meet-in-the-middle preimage attack on Fugue-256 from 2480 time and memory to 2416. Finally, we comment on possible methods to obtain free-start distinguishers and free-start collisions for Fugue-256.

Individuals, Innovation, and the Internet : Why Access is Essential

As each day passes, and as new and better devices and services are developed, more and more government and private services are being moved to an online format. This movement makes access to the internet an essential for 21st Century life. The internet has become so integrated in our lives that many of us cannot imagine how we could operate without it. This omnipresent ‘being’ affects all forms of ‘normal’ social and economic activity and does so in ways that we do not realize. Those with access are able to engage with government, business, and family and friends more easily, which can lead to an improved standard of living. For the disadvantaged, however – those with the desire but without the capacity – a lack of access can be socially isolating. "Between the idea And the reality Between the motion And the act Falls the Shadow – T. S. Elliott. “The Hollow Men” Engagement in the internet economy requires both physical access and the individual to have the necessary finances and skills to make and sustain their use. If governments and the international community want a fully functioning internet economy this requires that all individuals must be operating in it. That not all individuals do so means, very simply, that the internet economy is not fully functioning. The text contextualizes for policy makers and legislatures why it is essential to ensure that individuals have appropriate access to the internet and what can be done to achieve it. The interrelationship/overlap between why access is essential, how it can be achieved and the central role of the individual to the internet economy is explored and translated into the concept of connectedness. From this, solutions for ensuring connectedness for all individuals are developed. It is Dr Cradduck’s hope that in the not too distant future readers will puzzle over why texts such as this needed to be written.

On Randomizing Hash Functions to Strengthen the Security of Digital Signatures

Halevi and Krawczyk proposed a message randomization algorithm called RMX as a front-end tool to the hash-then-sign digital signature schemes such as DSS and RSA in order to free their reliance on the collision resistance property of the hash functions. They have shown that to forge a RMX-hash-then-sign signature scheme, one has to solve a cryptanalytical task which is related to finding second preimages for the hash function. In this article, we will show how to use Dean’s method of finding expandable messages for finding a second preimage in the Merkle-Damgård hash function to existentially forge a signature scheme based on a t-bit RMX-hash function which uses the Davies-Meyer compression functions (e.g., MD4, MD5, SHA family) in 2 t/2 chosen messages plus 2 t/2 + 1 off-line operations of the compression function and similar amount of memory. This forgery attack also works on the signature schemes that use Davies-Meyer schemes and a variant of RMX published by NIST in its Draft Special Publication (SP) 800-106. We discuss some important applications of our attack.

Security Analysis of salt||password Hashes

Protection of passwords used to authenticate computer systems and networks is one of the most important application of cryptographic hash functions. Due to the application of precomputed memory look up attacks such as birthday and dictionary attacks on the hash values of passwords to find passwords, it is usually recommended to apply hash function to the combination of both the salt and password, denoted salt||password, to prevent these attacks. In this paper, we present the first security analysis of salt||password hashing application. We show that when hash functions based on the compression functions with easily found fixed points are used to compute the salt||password hashes, these hashes are susceptible to precomputed offline birthday attacks. For example, this attack is applicable to the salt||password hashes computed using the standard hash functions such as MD5, SHA-1, SHA-256 and SHA-512 that are based on the popular Davies-Meyer compression function. This attack exposes a subtle property of this application that although the provision of salt prevents an attacker from finding passwords, salts prefixed to the passwords do not prevent an attacker from doing a precomputed birthday attack to forge an unknown password. In this forgery attack, we demonstrate the possibility of building multiple passwords for an unknown password for the same hash value and salt. Interestingly, password||salt (i.e. salts suffixed to the passwords) hashes computed using Davies-Meyer hash functions are not susceptible to this attack, showing the first security gap between the prefix-salt and suffix-salt methods of hashing passwords.

The internet, globalization, and IT professional services

This editorial aims (1) to define IT Professional Services (ITPS) as an increasingly important area of research endeavor, and (2) to consider the impact of the Internet on globalization and the ITPS sector.

Valé Bunny Watson? Law librarians, law libraries, and legal research in the post-internet era

Katharine Hepburn’s entertaining portrayal of reference librarian Bunny Watson in Desk Set (1957) moves her character from apprehension about new technology to an understanding that it is simply another tool. This article outlines the impact of technology on academic legal research. It examines the nature of legal research and the doctrinal method, the importance of law libraries (and librarians) in legal research, and the roles and implications of the Internet and web search engines on legal research methods and education.

The impact of Internet marketing capabilities on international network capability, a cross country study comparison between Australia, Chile and Taiwan internationalised SMEs

The Internet has been shown to positively enhance internationalisation for SMEs, but scant empirical testing limits our understanding of the explicit impact of the Internet on firm internationalisation. This paper highlights key areas where the integration of the Internet can be leveraged through Internet-related capabilities within the internationalisation of the firm. Specifically, this study investigates how Internet marketing capabilities play a role in altering international information availability, international strategic orientation, and international business network relationships. This study provides evidence, indicating that these key relationships may vary between countries. To examine these key relationships this study utilises draws from data small and medium sized enterprises (SMEs) in three export intensive markets; Australia (215 international SMEs), Chile (204 international SMEs) and Taiwan (130 international SMEs); and tests a conceptual model through structural equation modelling. Results from the data show the impact of Internet marketing capabilities in positively impacting traditional internationalisation elements, which varies between countries. That is, our findings highlight the international business network relationships in Australia and Taiwan are directly impacted by Internet marketing capabilities, but not in Chile. We offer some insight into why we see variance across comparative exporting countries in how they leverage new technological capabilities for internationalisation and firm performance.