International Journal of Electronic Security and Digital Forensics (9 papers in press)
- A new identity based ring signcryption scheme
by Lunzhi Deng
Abstract: This paper presents a new identity-based ring signcryption scheme. With
this technique, anyone can choose n − 1 entities to generate a verifiable ring
signcryption on behalf of the group of n members, yet the actual signcrypter
remain anonymous. The scheme is proven to be indistinguishable against
adaptive chosen ciphertext attacks, existentially unforgeable against adaptive
chosen message and identity attacks, and unconditional signcrypter ambiguity
under the random oracle model.
Keywords: Identity-based cryptography, Ring signcryption, Random oracle model, Security
- A security enhanced user authentication scheme for multi-server environment without using smart cards
by Pengshuai Qiao
Abstract: With the popularity of Internet and wireless networks, more and more network architectures are used in multi-server environment, in which users remotely access servers through open networks. For the reliability of accessing these remote services, user must pass a verification procedure to obtain the authorization for legal resource acquisition and data exchange. In 2008, Lee et al. proposed an authentication scheme for multi-server architecture. Recently, Yeh et al. demonstrated that Lee et al.s scheme is insecure against server spoofing attack, user impersonation attack and undetectable online password guessing attacks. Yeh et al. also proposed an improved authentication scheme and claimed their scheme could withstand various attacks. Unfortunately, we find that Yeh et al.s scheme is still vulnerable to offline password guessing attack and stolen-verifier attack. Furthermore, a security enhanced authentication scheme is developed to eliminate the identified weaknesses.
Keywords: Authentication, Communication, Key agreement, Multi-server, Security
- Cryptanalysis and improvement of an authentication scheme for telecare medical information systems
by Yun Zhao
Abstract: The telecare medical information system (TMIS) could improve quality of medical care since it allows patients to enjoy health-care delivery services in their home. However, the privacy and security influence the development of the TMIS since it is employed in open networks. Recently, Wu and Xu proposed a privacy authentication scheme for the TMIS and claimed that their scheme could overcome weaknesses in previous schemes. However, we will demonstrate that their scheme is venerable to the server spoofing attack and cannot provide user anonymity. To overcome weaknesses in their scheme, we also propose a new authentication scheme for the TMIS. Analysis shows that our scheme not only overcome weaknesses in Wu et al.s scheme, but also has better performance.
Keywords: Mutual authentication, Anonymity, Smart card, Telecare medical information system
- Incorporating Hacking Projects in Computer and Information Security Education: an Empirical Study
by Eman Alashwali
Abstract: Incorporating hacking projects in information security education is controversial. However, several studies discussed the benefits of including offensive exercises (e.g. hacking) in information security courses. In this paper, we present our experiment in incorporating hacking projects in the laboratory exercises for an undergraduate-level Computer and Information Security (CIS) course at King Abdulaziz University (KAU), Saudi Arabia. We conducted a survey to measure the effectiveness of incorporating hacking projects from the students perspective. We also questioned the ethical aspects of these projects. The results strongly suggest that hacking projects have helped the students better understanding computer and information security principles. Furthermore, the majority of the students stated that they do not intend to misuse the learned skills, mainly, for religious and ethical reasons. We also present the precautions that we took to avoid legal or ethical consequences that may be connected with these activities.
Keywords: information; security; offensive; defensive; education; Saudi Arabia; hacking; cyberattack; attack; awareness; ethics, women in engineering
- Practical certificateless short signature scheme
by Miaomiao Tian
Abstract: Certificateless cryptography is an attractive paradigm for public key cryptography since it does not require certificates in traditional public key cryptography and also solves the inherent key escrow problem in identity-based cryptography. Currently, certificateless short signature is receiving significant attention from the public key cryptography research community as it's particularly useful in low-bandwidth communication environments. However, most of the certificateless short signature schemes only support low-level security. Recently, Choi et al. presented a certificateless short signature scheme and claimed that it is provably secure against super adversaries in the random oracle model. Unfortunately, in this paper, we show that their scheme is insecure even against a strong adversary. We then propose a new certificateless short signature scheme and prove that it is secure against strong adversaries. Compared with other certificateless short signature schemes, our scheme is more computationally efficient.
Keywords: Certificateless cryptography; Short signature; Bilinear pairing; Efficiency.
- ROBUST AND SECURE IMAGE STEGANOGRAPHIC ALGORITHM BASED ON MATRIX EMBEDDING
by Sushil Kumar, S.K. Muttoo
Abstract: Steganography is a sub-discipline of data hiding with an objective to modify a digital object, known as cover object, to encode and conceal a message so that it cannot be seen while it is transmitted on public communication channels such as computer network. The main requirements of steganography system are imperceptibility, high payload, security and robustness against transmission channel noise. The proposed work presented in this paper consist of a robust (non-fragile) steganography technique based on the matrix embedding using a self-synchronizing variable length T-codes (to obtain compressed message from the original message) and RS codes (as error correction coding to provide robustness to the embedded message against transmission errors). The original message is first encoded using T-codes and then with RS- codes. The selection of the plane for embedding is made on the basis of variance of intensity resolutions. The secret message is then embedded in the selected 2nd, 3rd or 4th plane of the cover image using the matrix encoding technique. The proposed method is compared with other existing steganographic schemes based on error correcting codes. Experimental results show that the proposed method is an improvement over the existing methods.
Keywords: Image Steganography; Matrix Embedding; T-codes; RScodes;
Security; Embedding Efficiency;WPSNR; SSIM; KLDiv
- A method for forensic artifact collection, analysis and incident response in environments running Session Initiation Protocol (SIP) and Session Description Protocol (SDP)
by Vasilios Katos, Ioannis Psaroudakis, Panagiotis Saragiotis, Lilian Mitrou
Abstract: In this paper we perform an analysis of SIP, a popular Voice over IP (VoIP) protocol and propose a framework for capturing andrnanalyzing volatile VoIP data in order to determine forensic readiness requirements for effectively identifying an attacker. The analysis wasrnperformed on real attack data and the findings were encouraging. It seems that if appropriate forensic readiness processes and controls arernin place, a wealth of evidence can be obtained. The type of the end user equipment of the internal users, the private IP, the software that isrnused can help build a reliable baseline information database. On the other hand the private IP addresses of the potential attacker even duringrnthe presence of NAT services, as well as and the attack tools employed by the malicious parties are logged for further analysis.
Keywords: Network forensics, SIP, VoIP Forensics, Intrusion Detection Systems (IDS)
- Symmetric Key Management for Mobile Ad hoc Networks using Novel Secure and Authenticated Key Distribution Protocol
by Anand Jegatheesan
Abstract: The wireless nature of communication and lack of security infrastructure raises several security problems in MANET. So, security routing is essential for Mobile Ad hoc Networks. A number of routing methods have been proposed for security routing. The key idea in our algorithm is to explore key authentication at the time of key sharing. Authentication is performed for key distribution and communication. This paves an integrity and authenticity. Collisions of source and destination nodes are reduced and Internal and external attacks are overcome using less cryptographic techniques with less computation steps. Confidentiality is achieved by encrypting the keys. A novel symmetric key sharing method is proposed which emphasizes the efficient and secure key sharing and key updates. In our Scheme, Digital Signature and Symmetric key combine together and protects the efficiency aspects. Through extensive simulation analysis it is inferred that our algorithm provides an efficient approach towards security and in the mobile ad hoc network.
Keywords: MANET; Symmetric key; Authentication; Secured Hash.
Special Issue on: "
ICGS3 articles from 9th ICGS3-13 Conference,"
- E-business, Recent Threats and Security Countermeasures
by Sina Pournouri, Matthew Craven
Abstract: Today, computers play a prominent role in human life and e-business makes the lives of people easier. Online shopping and electronic trade benefit both customers and companies. Although the concept of e-business has many advantages, it also furnishes cybercriminals opportunities to access, steal and manipulate data. Thus, security requirements ought to be considered by managers who run their businesses via computers and the Internet. One of the first steps to defining security requirements is threat and risk assessment, which may be done by cyberattack profiling. This paper aims to profile recent cyberattacks, investigate trends and relationships between distinct factors, and based on those, give security policies as security countermeasures. The work described was presented at the 9th ICGSSS conference in Dec 2013.
Keywords: E-business, Security, Electronic documents, Customers, Cybercriminals, Cyberattacks, Profiling, Threats, Risk.