International Journal of Information Security
Volume:14 Issue: 3, Oct 2022

This paper presents a novel RF-PUF-based authentication scheme, called RKM-PUF which takes advantage of a dynamic random key generation that depends upon both communication parties in the network to detect intrusion attacks. Unlike the existing authentication schemes, our proposed approach takes the physical characteristics of both involved parties into account to generate the secret key, resulting in securely mutual authentication of both nodes in a wireless network. The experimental results of the proposed authentication scheme show that the RKM-PUF can reach up to 99% in identification accuracy.

SKINNY is a lightweight tweakable block cipher that for the first time introduced in CRYPTO 2016. SKINNY is considered in two block sizes: 64 bits and 128 bits, as well as three TWEAK versions. In the beginning, this paper reflects our findings that improve the effectiveness of DFA analysis on SKINNY, then accomplishes the hardware implementation of this attack on SKINNY. Assuming that TWEAK is fixed, we first present the Enhanced DFA on SKINNY64-64 and SKINNY128-128. In order to retrieve the master key with the minimum number of faults, this approach depends on fault propagation in intermediate rounds. In our latest evaluations we can retrieve the master key with 2 and 3 faults in SKINNY64-64 and SKINNY128-128respectively. This result should be compared with 3 and 4 faults for 64-bit and 128-bit versions respectively, in the models presented in the former work. Using the glitch model as well as a set of affordable hardware equipment, we injected faults into various rounds of the SKINNY algorithm in the implementation phase. More accurately, we can inject a single nibble fault into a particular round by determining the precise timing of the execution sub-function.

Differential fault analysis, a kind of active non-invasive attack, is an effective way of analyzing cryptographic primitives that have lately earned more attention. In this study, we apply this attack on CRAFT, a recently proposed lightweight tweakable block cipher, supported by simulation and experimental results. This cipher accepts a 64-bit Tweak, a 64-bit plaintext, and a 128-bit key to produce a 64-bit ciphertext. We assume that the target implementation of CRAFT does not use countermeasures in this paper. The considered fault model in the initial phase of this paper is a single-bit, but random nibble-injected fault, where we first present the fault injection attack as a simulation and then report on how to retrieve the round sub-keys. Next, we use frequency glitch as a fault injection technique in the experimental phase. This part aims to produce a single fault at a nibble in a specific round of the CRAFT. Following our statistical analysis and according to the simulation findings, we can reduce the key space to 30.28 and 24.37 bits, respectively, by using 4 and 5 faults. The experimental section also identifies the location of random faults injected by the hardware mechanism.

In recent years, blockchain technology has been used in many fields, including IoT and Smartphones. Since most of these devices are battery constrained and have low processing capabilities, conventional blockchains are not suitable for these types of systems. In this field, critical challenges that need to be addressed are providing security for transactions and power consumption. An available solution to meet the mentioned challenges is TrustChain. Unlike conventional blockchains, TrustChain does not have a single global chain. Instead, each node is responsible for building and maintaining its local chain.With all the benefits, TrustChain is vulnerable to the whitewashing attack and suffers from client vulnerability issues. Moreover, once a fatal error occurs, the recovery time of each TrustChain node is considerably high. In this paper, wepropose a solution to address the attacks mentioned above by implementing an authentication system with MongoDB on top of TrustChain. Moreover, we connected TrustChain to the distributed cloud storage to significantly reduce the recovery time of nodes in fatal errors (up to 80%). Finally, we evaluate improved TrustChain with the PoW-based smartphone-oriented blockchains from two aspects of security and power consumption, proving that improved TrustChain does not significantly affect the lifetime of the smartphone battery. Its power consumption is less than mentioned blockchains and is more securethan these systems against main attacks.

Remote data auditing (RDA) protocols enable a cloud server to persuade an auditor that it is storing a data file honestly. Unlike digital signature(DS) schemes, in RDA protocols, the auditor can carry out the auditing procedure without having the entire data file. Therefore, RDA protocols seem to be attractive alternatives to DSs as they can effectively reduce bandwidth consumption. However, existing RDA protocols do not provide adequately powerful tools for user authentication. In this paper, we put forward a novel attribute-based remote data auditing and user authentication scheme. In our proposed scheme, without having a data file outsourced to a cloud server, an auditor can check its integrity and the issuer’s authenticity. Indeed, through a challenge-response protocol, the auditor can check whether 1) the cloud server has changed the content of the data file or not; 2) the data owner possesses specific attributes or not. We show that our scheme is secure under the hardness assumption of the bilinear Diffie-Hellman (BDH) problem.

With the widespread use of Android smartphones, the Android platform has become an attractive target for cybersecurity attackers and malware authors. Meanwhile, the growing emergence of zero-day malware has long been a major concern for cybersecurity researchers. This is because malware that has not been seen before often exhibits new or unknown behaviors, and there is no documented defense against it. In recent years, deep learning has become the dominant machine learning technique for malware detection and could achieve outstanding achievements. Currently, most deep malware detectiontechniques are supervised in nature and require training on large datasets of benign and malicious samples. However, supervised techniques usually do not perform well against zero-day malware. Semi-supervised and unsupervised deep malware detection techniques have more potential to detect previously unseen malware. In this paper, we present MalGAE, a novel end-to-end deep malware detection technique that leverages one-class graph neural networks to detect Android malware in a semi-supervised manner. MalGAE represents each Android application with an attributed function call graph (AFCG) to benefit the ability of graphs to model complex relationships between data. It builds a deep one-class classifier by training a stacked graph autoencoder with graph convolutional layers on benign AFCGs. Experimental results show that MalGAE can achieve good detection performance in terms of different evaluation measures.

Android is a widely used operating system that employs a permission-based access control model. The Android Permissions System (APS) is responsible for mediating application resource requests. APS is a critical component of the Android security mechanism; hence, a failure in the design of APS can potentially lead to vulnerabilities that grant unauthorized access to resources by malicious applications. In this paper, we present a formal approach for modeling and verifying the security properties of APS. We demonstrate the usability of the proposed approach by showcasing the detection of a well-knownvulnerability found in Android’s custom permissions.

In this paper, we want to derive achievable secrecy rate regions for quantum interference channels with classical inputs under a one-shot setting. The main idea to this end is to use the combination of superposition and rate splitting for the encoding scheme and construct a decoding scheme based on simultaneous decoding.

Today, with the advancement of science and technology, the use of smartphones has become very common, and the Android operating system has been able to gain lots of popularity in the meantime. However, these devices face manysecurity challenges, including malware. Malware may cause many problems in both the security and privacy of users. So far, the state-of-the-art method in malware detection is based on deep learning, however, this approach requires a lot of computing resources and leads to high battery usage, which is unacceptable in smartphone devices. This paper proposes the knowledge distillation approach for lightening android malware detection. To this end, first, a heavy model is taught and then with the knowledge distillation approach, its knowledge is transferred to a light model called student. To simplify the learning process, soft labels are used here. The resulting model, although slightly less accurate in identification, has a much smaller size than the heavier model. Moreover, ensemble learning was proposed to recover the dropped accuracy. We have tested the proposed approach on CISC datasets including dynamic and static features, and the results show that the proposed method is not only able to lighten the model up to 99%, but also maintain the accuracy of the lightened model to the extent of the heavy model.

Masking techniques are used to protect the hardware implementation of cryptographic algorithms against side-channel attacks. Reconfigurable hardware, such as FPGA, is an ideal target for the secure implementation of cryptographic algorithms. Due to the restricted resources available to the reconfigurable hardware, efficient secure implementation is crucial in an FPGA. In this paper, a two-share threshold technique for the implementation of AES is proposed. In continuation of the work presented by Shahmirzadi et al. at CHES 2021, we employ built-in Block RAMs (BRAMs) to store component functions. Storing several component functions in a single BRAM may jeopardize the security of the implementation. In this paper, we describe a sophisticated method for storing two separate component functions on a single BRAM to reduce area complexity while retaining security. Out design is well suited for FPGAs, which support both encryption and decryption. Our synthesis results demonstrate that the number of BRAMs used is reduced by 50% without affecting the time or area complexities.

Smart grids using information technology (IT) and communication networks control smart home appliances to reduce costs and increase reliability and transparency. Preserving the privacy of the user data is one of the biggest challenges in smart grid research; by disclosing user-related data, an internal or external adversary can understand the habits and behavior of the users. A solution to address this challenge is, however, a data aggregation mechanism in which the aggregated data of all of the users in a residential area. The security and efficiency of the data aggregation approach are important. The drawback of the previous works is leaking fine-grained user data or the high computation and communication overhead. In this paper, we present an efficient privacy-preserving data-aggregation protocol, called PPDA, based on the Elliptic Curve Cryptography (ECC) and Anonymous Veto network protocol. The PPDA protocol aggregates metering data efficiently and securely so that it becomes applicable for resource-constraint metering devices. We also present an improved multi-cycle proposal of PPDA, called MC-PPDA. In the improved approach, the system initialization step runs only at the first cycle of the protocol which increases the efficiency of the protocol. Evaluation results show that the proposed approaches preserve the privacy of the fine-grained user data against an internal and external adversary; the improved multi-cycle approach is also secure against collusion. Compared to the previous approaches, the proposed approaches incur less computation and communication overhead.

The use of NoSQL data and its storage in the Cloud is growing rapidly. Due to the accumulation of data in the Cloud, data security against untrusted service providers as well as external attackers becomes a more serious problem. Over the past few years, there are some efforts to secure the outsourcing of NoSQL data, especially column-based and document-based models. However, practical solutions for secure outsourcing of key-value databases have not been identified. This paper attempts to introduce SecureKV as a secure method for outsourcing key-value databases. This method employs a multi-Cloud storage scenario to preserve outsourced data confidentiality. Besides security issues, the proposed method supports executing major key-value queries directly on outsourced data. A prototype of the Redis database management system hasbeen implemented to show the efficiency and effectiveness of the proposed method. The results imply that, besides security issues, it is efficient and scalable enough in executing key-value-specific queries.

Voting is a fundamental mechanism used by many human societies, organizations and nations to make collective decisions. There has been a tremendous effort on making this mechanism fairer, error-free and secure. Electronic voting aims to be a solution to some deficiencies of existing paper-based voting systems. While there have been excellent technical and practical advances in e-voting, and some of them were great in defining the needs and musts of an ideal voting system, there are also severe critics of existing solutions mostly related to end-to-end verifiability and software independence. In this paper, we use blockchain and zero-knowledge proofs for a secure e-voting scheme that satisfies these requirements while preserving the privacy of the voters. We also evaluateour scheme from security and performance aspects.

Reliable access control is a major challenge of cloud storage services. This paper presents a cloud-based file-sharing architecture with ciphertext-policy attribute-based encryption (CP-ABE) access control mechanism. In CP-ABE, the data owner can specify the ciphertext access structure, and if the user key satisfies this access structure, the user can decrypt the ciphertext. The trusted authority embeds the private key of each attribute in a so-called attribute access polynomial and stores its coefficients publicly on the cloud. By means of the access polynomial, each authorized user will be able to retrieve the private key of the attribute by using her/his owned pre-shard key. In contrast, the data owner encrypts the file with a randomly selected key, namely the cipher key. The data owner encrypts the cipher key by CP-ABE scheme with the desired policies. Further, the data owner can create a different polynomial called query access polynomial for multi-keyword searching. Finally, the data owner places the encrypted file along the encrypted cipher key and query access polynomial in the cloud. The proposed scheme supports fast attribute revocation using updating the corresponding access polynomial and re-encrypting the affected cipher keys by the cloud server. Moreover, most of the calculations at the decryption and searching phases are outsourced to the cloud server, thereby allowing the lightweight nodes with limited resources to act as data users. Our analysis shows that the proposed scheme is both secure and efficient.