David Lai

Preventing man-in-the-middle attack in Diffie-Hellman key exchange protocol

The acceleration in developments in communication technology has led to a consequent increase in the vulnerability of data due to penetration attacks. These attacks often came from outside where non-qualified companies develop IT projects. Cryptography can offer high levels of security but has recently shown vulnerabilities such as the man-in-the-middle (MITM) attack in areas of key exchange protocols, especially in the Diffie-Hellman (DH) protocol. Firstly, this paper presents an overview of MITM attacks targeted at the DH protocol then discusses some of the shortcomings of current defenses. A proposed method to secure DH, which helps secure systems against MITM attacks, is then presented. This method involves the use of Geffe generation of binary sequences. The use of Geffe generator offers high levels of randomness. Data hashed and encrypted using this proposed method will be so difficult to intercept and decrypt without the appropriate keys. This offers high levels of security and helps prevent MITM attacks.

Implementing and Evaluating An Adaptive Secure Routing Protocol for Mobile Ad Hoc Network

A new innovative deployment of wireless technology is mobile ad hoc network (MANET). A MANET is characterized by no fixed infrastructure or varying topologized structure. This feature allows MANET to be deployed within many circumstances where traditional IP networks are constrained or too expensive in terms of time and resources. Adversely, the mobility of node renders MANETs vulnerable to many malicious attacks. Security mechanism in MANETs usually contains secure routing and secures data transmission. There are already some mechanisms to secure end-to-end transmission but there is limited number of strategies of securing the routing message or protocols. In this paper, we deliberate and implement one secure routing protocol FLSL (adaptive fuzzy logic based security level routing protocol) and study its performance under different scenarios. The implementation of FLSL protocol has been carried out by use of NS-2. Various experiments results from simulation verify the protocols; also demonstrate the feasibility of the protocol. A set of experiments under different scenarios have been presented and results of these experiments have been analysed

Secure Service Sharing over Networks for Mobile Users Using Service Network Graphs

Sharing of services among wired and wireless networks provides users with more variety of services. In this paper, we concentrate on how to achieve secure service sharing for mobile users in an aggregation of heterogeneous networks. Our approach is to extended the service network graph (SNG) concept to handle mobile users rambling within a guest network which is part of an SNG. Adhering to this approach, if the guest network has delegated authentication authority to the home network, the extended service network graph can also set up a transient account by sharing a secret between the user and the authentication servers on the guest network and the home network. This may serve as a temporary account and facilitates mobile users to obtain services on the fly. Lastly, we discuss how to use the extended SNG for mobile IP authentication

Security and privacy preserving approaches in the eHealth clouds with disaster recovery plan

Cloud computing was introduced as an alternative storage and computing model in the health sector as well as other sectors to handle large amounts of data. Many healthcare companies have moved their electronic data to the cloud in order to reduce in-house storage, IT development and maintenance costs. However, storing the healthcare records in a third-party server may cause serious storage, security and privacy issues. Therefore, many approaches have been proposed to preserve security as well as privacy in cloud computing projects. Cryptographic-based approaches were presented as one of the best ways to ensure the security and privacy of healthcare data in the cloud. Nevertheless, the cryptographic-based approaches which are used to transfer health records safely remain vulnerable regarding security, privacy, or the lack of any disaster recovery strategy. In this paper, we review the related work on security and privacy preserving as well as disaster recovery in the eHealth cloud domain. Then we propose two approaches, the Security-Preserving approach and the Privacy-Preserving approach, and a disaster recovery plan. The Security-Preserving approach is a robust means of ensuring the security and integrity of Electronic Health Records, and the Privacy-Preserving approach is an efficient authentication approach which protects the privacy of Personal Health Records. Finally, we discuss how the integrated approaches and the disaster recovery plan can ensure the reliability and security of cloud projects.

An Efficient DDoS TCP Flood Attack Detection and Prevention System in a Cloud Environment

Although the number of cloud projects has dramatically increased over the last few years, ensuring the availability and security of project data, services, and resources is still a crucial and challenging research issue. Distributed denial of service (DDoS) attacks are the second most prevalent cybercrime attacks after information theft. DDoS TCP flood attacks can exhaust the cloud’s resources, consume most of its bandwidth, and damage an entire cloud project within a short period of time. The timely detection and prevention of such attacks in cloud projects are therefore vital, especially for eHealth clouds. In this paper, we present a new classifier system for detecting and preventing DDoS TCP flood attacks (CS_DDoS) in public clouds. The proposed CS_DDoS system offers a solution to securing stored records by classifying the incoming packets and making a decision based on the classification results. During the detection phase, the CS_DDOS identifies and determines whether a packet is normal or originates from an attacker. During the prevention phase, packets, which are classified as malicious, will be denied to access the cloud service and the source IP will be blacklisted. The performance of the CS_DDoS system is compared using the different classifiers of the least squares support vector machine (LS-SVM), naïve Bayes, K-nearest, and multilayer perceptron. The results show that CS_DDoS yields the best performance when the LS-SVM classifier is adopted. It can detect DDoS TCP flood attacks with about 97% accuracy and with a Kappa coefficient of 0.89 when under attack from a single source, and 94% accuracy with a Kappa coefficient of 0.9 when under attack from multiple attackers. Finally, the results are discussed in terms of accuracy and time complexity, and validated using a K-fold cross-validation model.

Self-Authentication of Encrypted Channels in Service Network Graph

Service network graph (SNG) was proposed as a network service sharing infrastructure to support secure services on dynamic aggregation of heterogeneous networks. To participate in SNG, a network has to share a secret key with one member of the SNG. The shared secret key will be used to set up an encrypted channel between the network and the SNG member. It is imperative to authenticate the data sent through the encrypted channel. This paper uses the symbols and approached presented by Lampson in his paper to provide a formal proof of how encryption channel authenticates itself in SNG. It forms the basis of using encrypted channels in SNG.

Improving Efficiency and Scalability of Service Network Graph by Re-routing Service Routes

Inter domain service routing is an element in the success of Next Generation Network. Service requests, such as the INVITE request in Session Initiation Protocol [RFC3261] may need to be redirected. Service Path (SPath) can be used to hold the server paths and service information. The length of SPath increases as the number of hops in a redirection increases. The overhead for service routing which uses SPath also increases. Thus it is desirable to optimize SPath to ensure efficiency and scalability of protocols involving service routing. In this paper, we propose a re-routing strategy to optimize service routing, and demonstrate how this strategy can be applied to SPath to enhance the efficiency and scalability of Service Network Graph (SNG). The formal proof for SPath optimization also forms the basis of Authentication Delegation in SNG.

Efficient Information Propagation in Service Routing for Next Generation Network

Service routing across multiple network domains often requires redirection of service requests. Service request redirection can be achieved with multiple single hop redirection as in Session Initiation Protocol (SIP) or as a single redirection of multiple hops as in Service Network Graph (SNG). For efficiency and manageability, it is desirable to hold all the redirection information and knowledge for service routing in a single entity during redirection of individual service. In this paper, we propose the use of Service Path (SPath) to store and communicate the redirection information and knowledge for better performance. We also discussed how SPath can be applied to access a shared service and perform authentication in a multi-hop inter-domain service routing context using SNG as an example for illustration.