International Journal of Electronic Security and Digital Forensics (10 papers in press)
- A security enhanced user authentication scheme for multi-server environment without using smart cards
by Pengshuai Qiao
Abstract: With the popularity of Internet and wireless networks, more and more network architectures are used in multi-server environment, in which users remotely access servers through open networks. For the reliability of accessing these remote services, user must pass a verification procedure to obtain the authorization for legal resource acquisition and data exchange. In 2008, Lee et al. proposed an authentication scheme for multi-server architecture. Recently, Yeh et al. demonstrated that Lee et al.s scheme is insecure against server spoofing attack, user impersonation attack and undetectable online password guessing attacks. Yeh et al. also proposed an improved authentication scheme and claimed their scheme could withstand various attacks. Unfortunately, we find that Yeh et al.s scheme is still vulnerable to offline password guessing attack and stolen-verifier attack. Furthermore, a security enhanced authentication scheme is developed to eliminate the identified weaknesses.
Keywords: Authentication, Communication, Key agreement, Multi-server, Security
- Cryptanalysis and improvement of an authentication scheme for telecare medical information systems
by Yun Zhao, Chunming Zhang
Abstract: The telecare medical information system (TMIS) could improve quality of medical care since it allows patients to enjoy healthcare delivery services in their home. However, the privacy and security influence the development of the TMIS since it is employed in open networks. Recently, Wu and Xu proposed a privacy authentication scheme for the TMIS and claimed that their scheme could overcome weaknesses in previous schemes. However, we will demonstrate that their scheme is vulnerable to the server spoofing attack and cannot provide user anonymity. To overcome weaknesses in their scheme, we also propose a new authentication scheme for the TMIS. Analysis shows that our scheme not only overcomes weaknesses in Wu et al.'s scheme, but also has better performance.
Keywords: mutual authentication; anonymity; smart card; telecare medical information system; TMIS.
- Incorporating hacking projects in computer and information security education: an empirical study
by Eman Alashwali
Abstract: Incorporating hacking projects in information security education is controversial. However, several studies discussed the benefits of including offensive exercises (e.g., hacking) in information security courses. In this paper, we present our experiment in incorporating hacking projects in the laboratory exercises for an undergraduate-level Computer and Information Security (CIS) course at King Abdulaziz University (KAU), Saudi Arabia. We conducted a survey to measure the effectiveness of incorporating hacking projects from the students' perspective. We also questioned the ethical aspects of these projects. The results strongly suggest that hacking projects have helped the students better understanding computer and information security principles. Furthermore, the majority of the students stated that they do not intend to misuse the learned skills, mainly for religious and ethical reasons. We also present the precautions that we took to avoid legal or ethical consequences that may be connected with these activities.
Keywords: information; security; offensive; defensive; education; hacking; cyberattack; attack; awareness; ethics; women in engineering; Saudi Arabia.
- Practical certificateless short signature scheme
by Miaomiao Tian, Liusheng Huang, Wei Yang
Abstract: Certificateless cryptography is an attractive paradigm for public key cryptography since it does not require certificates in traditional public key cryptography and also solves the inherent key escrow problem in identity-based cryptography. Currently, certificateless short signature is receiving significant attention from the public key cryptography research community as it is particularly useful in low-bandwidth communication environments. However, most of the certificateless short signature schemes only support low-level security. Recently, Choi et al. presented a certificateless short signature scheme and claimed that it is provably secure against super adversaries in the random oracle model. Unfortunately, in this paper, we show that their scheme is insecure even against a strong adversary. We then propose a new certificateless short signature scheme and prove that it is secure against strong adversaries. Compared with other certificateless short signature schemes, our scheme is more computationally efficient.
Keywords: certificateless cryptography; short signature; bilinear pairing; efficiency.
- Robust and secure image steganographic algorithm based on matrix embedding
by Sushil Kumar, S.K. Muttoo
Abstract: Steganography is a sub-discipline of data hiding with an objective to modify a digital object, known as cover object, to encode and conceal a message so that it cannot be seen while it is transmitted on public communication channels such as computer network. The main requirements of steganography system are imperceptibility, high payload, security and robustness against transmission channel noise. The proposed work presented in this paper consist of a robust (non-fragile) steganography technique based on the matrix embedding using a self-synchronising variable length T-codes (to obtain compressed message from the original message) and RS codes (as error correction coding to provide robustness to the embedded message against transmission errors). The original message is first encoded using T-codes and then with RS-codes. The selection of the plane for embedding is made on the basis of variance of intensity resolutions. The secret message is then embedded in the selected 2nd, 3rd or 4th plane of the cover image using the matrix encoding technique. The proposed method is compared with other existing steganographic schemes based on error correcting codes. Experimental results show that the proposed method is an improvement over the existing methods.
Keywords: image steganography; matrix embedding; T-codes; RS-codes; security; embedding efficiency; WPSNR; SSIM; Kullback Leibler divergence; KLDiv.
- A method for forensic artifact collection, analysis and incident response in environments running Session Initiation Protocol (SIP) and Session Description Protocol (SDP)
by Vasilios Katos, Ioannis Psaroudakis, Panagiotis Saragiotis, Lilian Mitrou
Abstract: In this paper we perform an analysis of SIP, a popular Voice over IP (VoIP) protocol and propose a framework for capturing andrnanalyzing volatile VoIP data in order to determine forensic readiness requirements for effectively identifying an attacker. The analysis wasrnperformed on real attack data and the findings were encouraging. It seems that if appropriate forensic readiness processes and controls arernin place, a wealth of evidence can be obtained. The type of the end user equipment of the internal users, the private IP, the software that isrnused can help build a reliable baseline information database. On the other hand the private IP addresses of the potential attacker even duringrnthe presence of NAT services, as well as and the attack tools employed by the malicious parties are logged for further analysis.
Keywords: Network forensics, SIP, VoIP Forensics, Intrusion Detection Systems (IDS)
- Symmetric Key Management for Mobile Ad hoc Networks using Novel Secure and Authenticated Key Distribution Protocol
by Anand Jegatheesan
Abstract: The wireless nature of communication and lack of security infrastructure raises several security problems in MANET. So, security routing is essential for Mobile Ad hoc Networks. A number of routing methods have been proposed for security routing. The key idea in our algorithm is to explore key authentication at the time of key sharing. Authentication is performed for key distribution and communication. This paves an integrity and authenticity. Collisions of source and destination nodes are reduced and Internal and external attacks are overcome using less cryptographic techniques with less computation steps. Confidentiality is achieved by encrypting the keys. A novel symmetric key sharing method is proposed which emphasizes the efficient and secure key sharing and key updates. In our Scheme, Digital Signature and Symmetric key combine together and protects the efficiency aspects. Through extensive simulation analysis it is inferred that our algorithm provides an efficient approach towards security and in the mobile ad hoc network.
Keywords: MANET; Symmetric key; Authentication; Secured Hash.
- Hybrid Technique for Robust and Imperceptible Dual Watermarking using Error Correcting Codes for Application in Telemedicine
by Amit Singh
Abstract: In this paper, the effects of different error correction codes on the robustness and the image quality are investigated. Three different error correcting codes such as Hamming, the BCH (Bose, Ray-Chaudhuri, Hocquenghem) and the Reed-Solomon code are considered to encode the watermark. The embedding watermarks method based on the two most popular transform techniques which are discrete wavelet transforms (DWT) and singular value decomposition (SVD). The proposed algorithm is robust against number of signal processing attacks without significant degradation of the image quality. The experimental results demonstrate that this algorithm combines the advantages and remove the disadvantages of these two transform. Out of three error correcting codes tested, it has been found that Reed-Solomon shows the best performance. A detailed analysis of the results of implementation is given.
Keywords: image watermarking, steganography, discrete wavelet transforms, singular value decomposition, error correcting codes.
- Vietnamese Privacy Concerns & Security in Using Online Social Networks
by Mathews Nkhoma
Abstract: According to a report by Vietnam Network Information Center (VNNIC) on Vietnam Internet resources in 2012, the number of Internet users in Vietnam had increased by 15 times compared to 2000. As a result of increased Internet usage, 35.49% of the Vietnamese population had a 53% chance of encountering online threats without even knowing it. The purpose of this research is to investigate the relationship and influence of security and privacy issues on Internet users trust, and their intention to participate in a safe online community in order to provide preliminary insights for building a safer Online Social Network (OSN) landscape in Vietnam by examining the relationships among online privacy concerns, security, trust, and intention. Using Structural Equation Modeling, the findings show that privacy correlates with security but these two variables do not have a significant impact on users trust. Moreover, only trust and security affect users intention to use OSN.
Keywords: Online social network, privacy concerns, security, trust, intention
Special Issue on: "
ICGS3 articles from 9th ICGS3-13 Conference,"
- E-business, recent threats and security countermeasures
by Sina Pournouri, Matthew Craven
Abstract: Today, computers play a prominent role in human life and e-business makes the lives of people easier. Online shopping and electronic trade benefit both customers and companies. Although the concept of e-business has many advantages, it also furnishes cybercriminals opportunities to access, steal and manipulate data. Thus, security requirements ought to be considered by managers who run their businesses via computers and the internet. One of the first steps to defining security requirements is threat and risk assessment, which may be done by cyberattack profiling. This paper aims to profile recent cyberattacks, investigate trends and relationships between distinct factors and based on those, give security policies as security countermeasures. The work described was presented at the 9th ICGSSS Conference in December 2013.
Keywords: e-business; security; electronic documents; cyberattacks; profiling; customers; cybercriminals; threats; risk; counter-measures; digital forensics.