Secure outsourced attribute-based signatures

Attribute-based signature (ABS) enables users to sign messages over attributes without revealing any information other than the fact that they have attested to the messages. However, heavy computational cost is required during signing in existing work of ABS, which grows linearly with the size of the predicate formula. As a result, this presents a significant challenge for resource-constrained devices (such as mobile devices or RFID tags) to perform such heavy computations independently. Aiming at tackling the challenge above, we first propose and formalize a new paradigm called Outsourced ABS, i.e., OABS, in which the computational overhead at user side is greatly reduced through outsourcing intensive computations to an untrusted signing-cloud service provider (S-CSP). Furthermore, we apply this novel paradigm to existing ABS schemes to reduce the complexity. As a result, we present two concrete OABS schemes: i) in the first OABS scheme, the number of exponentiations involving in signing is reduced from O(d) to O(1) (nearly three), where d is the upper bound of threshold value defined in the predicate; ii) our second scheme is built on Herranz et al.'s construction with constant-size signatures. The number of exponentiations in signing is reduced from O(d2) to O(d) and the communication overhead is O(1). Security analysis demonstrates that both OABS schemes are secure in terms of the unforgeability and attribute-signer privacy definitions specified in the proposed security model. Finally, to allow for high efficiency and flexibility, we discuss extensions of OABS and show how to achieve accountability as well.

Mining inconsistent secure messages toward analyzing security protocols

Traditional approaches such as theorem proving and model checking have been successfully used to analyze security protocols. Ideally, they assume the data communication is reliable and require the user to predetermine authentication goals. However, missing and inconsistent data have been greatly ignored, and the increasingly complicated security protocol makes it difficult to predefine such goals. This paper presents a novel approach to analyze security protocols using association rule mining. It is able to not only validate the reliability of transactions but also discover potential correlations between secure messages. The algorithm and experiment demonstrate that our approaches are useful and promising.

Service-oriented wireless sensor networks and an energy-aware mesh routing algorithm

Service-oriented wireless sensor networks (WSNs) are being paid more and more attention because service computing can hide complexity of WSNs and enables simple and transparent access to individual sensor nodes. Existing WSNs mainly use IEEE 802.15.4 as their communication specification, however, this protocol suite cannot support IP-based routing and service-oriented access because it only specifies a set of physical- and MAC-layer protocols. For inosculating WSNs with IP networks, IEEE proposed a 6LoWPAN (IPv6 over LoW Power wireless Area Networks) as the adaptation layer between IP and MAC layers. However, it is still a challenging task how to discover and manage sensor resources, guarantee the security of WSNs and route messages over resource-restricted sensor nodes. This paper is set to address such three key issues. Firstly, we propose a service-oriented WSN architectural model based on 6LoWPAN and design a lightweight service middleware SOWAM (service-oriented WSN architecture middleware), where each sensor node provides a collection of services and is managed by our SOWAM. Secondly, we develop a security mechanism for the authentication and secure connection among users and sensor nodes. Finally, we propose an energyaware mesh routing protocol (EAMR) for message transmission in a WSN with multiple mobile sinks, aiming at prolonging the lifetime of WSNs as long as possible. In our EAMR, sensor nodes with the residual energy lower than a threshold do not forward messages for other nodes until the threshold is leveled down. As a result, the energy consumption is evened over sensor nodes significantly. The experimental results demonstrate the feasibility of our service-oriented approach and lightweight middleware SOWAM, as well as the effectiveness of our routing algorithm EAMR.

Secure mobile RFID ownership transfer protocol to cover all transfer scenarios

Existing business models require RFID tag to transfer its ownership during its life cycle. As a result, a RFID tags might have many owners during its life cycle. However, the transfer of ownership should ensure that previous owners have no information about current owner's data. Physical ownership does not ensure digital ownership transfer given the wireless nature of communication with RFID tags. Most of the proposed protocol in this nature is implacable to address aU existing RFID tag ownership transfer scenarios. Moreover, they have many security concerns and vulnerabilities. In this paper, we have investigated and discussed all existing business cases and their transfer scenarios. To cover all ownership transfer scenarios, we have presented an ownership transfer protocol. The proposed protocol has used modified DiffieHellman algorithm to perform ownership request validation and authentication of involved parties. Performance comparison shows that our protocol is practical to implement passive low-cost RFID tags, securely performs tag ownership transfer and can be used for all existing ownership transfer scenarios.

Byzantine-resilient secure software-defined networks with multiple controllers

Software-defined network (SDN) is the next generation of networking architecture that is dynamic, manageable, cost-effective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's applications. In SDN, network management is facilitated through software rather than low-level device configurations. However, the centralized control plane introduced by SDN imposes a great challenge for the network security. In this paper, we present a secure SDN structure, in which each device is managed by multiple controllers rather than a single one as in a traditional manner. It can resist Byzantine attacks on controllers and the communication links between controllers and SDN switches. Furthermore, we design a cost-efficient controller assignment algorithm to minimize the number of required controllers for a given set of switches. Extensive simulations have been conducted to show that our proposed algorithm significantly outperforms random algorithms. © 2014 IEEE.

Secure object tracking protocol for networked RFID systems

Networked systems have adapted Radio Frequency identification technology (RFID) to automate their business process. The Networked RFID Systems (NRS) has some unique characteristics which raise new privacy and security concerns for organizations and their NRS systems. The businesses are always having new realization of business needs using NRS. One of the most recent business realization of NRS implementation on large scale distributed systems (such as Internet of Things (IoT), supply chain) is to ensure visibility and traceability of the object throughout the chain. However, this requires assurance of security and privacy to ensure lawful business operation. In this paper, we are proposing a secure tracker protocol that will ensure not only visibility and traceability of the object but also genuineness of the object and its travel path on-site. The proposed protocol is using Physically Unclonable Function (PUF), Diffie-Hellman algorithm and simple cryptographic primitives to protect privacy of the partners, injection of fake objects, non-repudiation, and unclonability. The tag only performs a simple mathematical computation (such as combination, PUF and division) that makes the proposed protocol suitable to passive tags. To verify our security claims, we performed experiment on Security Protocol Description Language (SPDL) model of the proposed protocol using automated claim verification tool Scyther. Our experiment not only verified our claims but also helped us to eliminate possible attacks identified by Scyther.

A strong provably secure IBE scheme without bilinear map

Identity-based encryption (IBE) allows one party to send ciphered messages to another using an arbitrary identity string as an encryption key. Since IBE does not require prior generation and distribution of keys, it greatly simplifies key management in public-key cryptography. According to the Menezes-Okamoto-Vanstone (MOV) reduction theory, the IBE scheme based on bilinear map loses the high efficiency of elliptic curve because of the requirement of large security parameters. Therefore, it is important to build a provably secure IBE scheme without bilinear map. To this end, this paper proposes an improved IBE scheme that is different from the previous schemes because this new scheme does not use symmetric encryption algorithm. Furthermore, it can be proven to be secure against adaptively chosen identity and chosen plaintext attacks in the standard model. Elaborated security and performance analysis demonstrate that this new scheme outperforms the previous ones in terms of the time complexity for encryption and decryption.

SCLPV: secure certificateless public verification for cloud-based cyber-physical-social systems against malicious auditors

Cyber-physical-social system (CPSS) allows individuals to share personal information collected from not only cyberspace but also physical space. This has resulted in generating numerous data at a user's local storage. However, it is very expensive for users to store large data sets, and it also causes problems in data management. Therefore, it is of critical importance to outsource the data to cloud servers, which provides users an easy, cost-effective, and flexible way to manage data, whereas users lose control on their data once outsourcing their data to cloud servers, which poses challenges on integrity of outsourced data. Many schemes have been proposed to allow a third-party auditor to verify data integrity using the public keys of users. Most of these schemes bear a strong assumption: the auditors are honest and reliable, and thereby are vulnerability in the case that auditors are malicious. Moreover, in most of these schemes, an auditor needs to manage users certificates to choose the correct public keys for verification. In this paper, we propose a secure certificateless public integrity verification scheme (SCLPV). The SCLPV is the first work that simultaneously supports certificateless public verification and resistance against malicious auditors to verify the integrity of outsourced data in CPSS. A formal security proof proves the correctness and security of our scheme. In addition, an elaborate performance analysis demonstrates that the SCLPV is efficient and practical. Compared with the only existing certificateless public verification scheme (CLPV), the SCLPV provides stronger security guarantees in terms of remedying the security vulnerability of the CLPV and resistance against malicious auditors. In comparison with the best of integrity verification scheme achieving resistance against malicious auditors, the communication cost between the auditor and the cloud server of the SCLPV is independent of the size of the processed data, meanwhile, the auditor in the SCLPV does not need to manage certificates.

A secure and efficient data sharing framework with delegated capabilities in hybrid cloud

Hybrid cloud is a widely used cloud architecture in large companies that can outsource data to the publiccloud, while still supporting various clients like mobile devices. However, such public cloud data outsourcing raises serious security concerns, such as how to preserve data confidentiality and how to regulate access policies to the data stored in public cloud. To address this issue, we design a hybrid cloud architecture that supports data sharing securely and efficiently, even with resource-limited devices, where private cloud serves as a gateway between the public cloud and the data user. Under such architecture, we propose an improved construction of attribute-based encryption that has the capability of delegating encryption/decryption computation, which achieves flexible access control in the cloud and privacy-preserving in datautilization even with mobile devices. Extensive experiments show the scheme can further decrease the computational cost and space overhead at the user side, which is quite efficient for the user with limited mobile devices. In the process of delegating most of the encryption/decryption computation to private cloud, the user can not disclose any information to the private cloud. We also consider the communication securitythat once frequent attribute revocation happens, our scheme is able to resist some attacks between private cloud and data user by employing anonymous key agreement.