Georgios Karopoulos

Evaluation of Cryptography Usage in Android Applications

Mobile application developers are using cryptography in their products to protect sensitive data like passwords, short messages, documents etc. In this paper, we study whether cryptography and related techniques are employed in a proper way, in order to protect these private data. To this end, we downloaded 49 Android applications from the Google Play marketplace and performed static and dynamic analysis in an attempt to detect possible cryptographic misuses. The results showed that 87.8% of the applications present some kind of misuse, while for the rest of them no cryptography usage was detected during the analysis. Finally, we suggest countermeasures, mainly intended for developers, to alleviate the issues identified by the analysis.

Self-organised Key Management for the Smart Grid

As Smart Grid deployments emerge around the world, their protection against cyberattacks becomes more crucial. Before protective measures are put into place, one of the main factors to be considered is key management. Smart Grid poses special requirements compared to traditional networks; however, the review of previous work reveals that existing schemes are not complete. Here we propose a scalable and distributed key management scheme for the Smart Grid based on the Web-of-Trust concept. Our proposal is build on top of a Distributed Hash Table for efficient lookups of trust relationships. The target of this scheme is to create a key management system for the Smart Grid without the need of an always available Trusted Third Party. The underlying Distributed Hash Table can be further utilised as an infrastructure to build other Smart Grid services on top of it, like secure and/or anonymous aggregation, billing, etc.

Usage control in SIP-based multimedia delivery

The Session Initiation Protocol (SIP) is an application layer signaling protocol for the creation, modification and termination of multimedia sessions and VoIP calls with one or more participants. While SIP operates in highly dynamic environments, in the current version its authorization support is based on traditional access control models. The main problem these models face is that they were designed many years ago, and under some circumstances they tend to be inadequate in modern highly dynamic environments. Usage Control (UCON), instead, is a model that supports the same operations as traditional access control models do, but it further enhances them with novel ones. In previous work, an architecture supporting continuous authorizations in SIP, based on the UCON model, was presented. In this article, an authorization support implementing the whole UCON model, including authorizations, obligations and conditions, has been integrated in a SIP system. Moreover, a testbed has been set up to experimentally evaluate the performance of the proposed security mechanism.

Complete SIP Message Obfuscation: PrivaSIP over Tor

Anonymity on SIP signaling can be achieved either by the construction of a lower level tunnel (via the use of SSL or IPSec protocols) or by employing a custom-tailored solution. Unfortunately, the former category of solutions present significant impediments including the requirement for a PKI and the hop-by-hop fashioned protection, while the latter only concentrate on the application layer, thus neglecting sensitive information leaking from lower layers. To remediate this problem, in the context of this paper, we employ the well-known Tor anonymity system to achieve complete SIP traffic obfuscation from an attackers standpoint. Specifically, we capitalize on Tor for preserving anonymity on network links that are considered mostly untrusted, i.e., those among SIP proxies and the one between the last proxy in the chain and the callee. We also, combine this Tor-powered solution with PrivaSIP to achieve an even greater level of protection. By employing PrivaSIP we assure that: (a) the first hop in the path (i.e., between the caller and the outbound proxy) affords anonymity, (b) the callee does not know the real identity of the caller, and (c) no real identities of both the caller and the callee are stored in log files. We also evaluate this scheme in terms of performance and show that even in the worst case, the latency introduced is not so high as it might be expected due to the use of Tor.

Security and privacy in unified communications: Challenges and solutions

h 0 Unified Communications (UC) merge different communication echnologies, types of products, and services, from various manufacurers, operators, and countries, following diverse policies and stanards. Specifically, in the context of UC, a range of communication ools are integrated in a way that both corporations and individuals re able to manage all their communications in one entity instead f doing it disjointly. It is therefore said that UC bridges the opening etween the various computer related communication technologies nd Voice over IP (VoIP). However, this high level of heterogeneity xpands the risks related to security and privacy that stakeholders hould deal with. One of the major issues in UC is privacy: as users interact with ach other and with multimedia servers, the media traffic that passes hrough different network elements e.g., proxies and trusted as well s untrusted IP networks, reveals private information about users’ dentity, behavior, location, etc. Taking the aforementioned heteroeneity into account, access control is another topic that requires pecial consideration in the context of UC. Also, security assessment n general needs special attention since signaling passes through ifferent service operators, and security decisions are based on inormation gathering from diverse sources. Last but not least, the ring-Your-Own-Device (BYOD) philosophy followed by many cororations introduces new entry points and leads to more threats in C. This special issue presents selected high-quality papers that cover he domain of security and privacy in UC from different perspecives presenting open issues, algorithms, protocols, policies, frameorks, standards, and UC tailored solutions. We received a total of 4 submissions, out of which eight were selected (acceptance rate 4%) considering their quality and relevance to the topic of the special ssue.

Continuous Authorizations in SIP with Usage Control

The Session Initiation Protocol (SIP) is a signaling protocol for the creation, modification and termination of multimedia sessions with one or more participants. While SIP operates in highly dynamic environments such as Next Generation Networks, in current deployments its access control support is based on traditional access control models. The main problem these models face is that under certain circumstances they tend to be inadequate in current highly dynamic environments. Usage Control is an access control model that supports the same functionalities as traditional models do, but further introduce novel ones. In a previous work, an architecture supporting continuous authorization on SIP based on the Usage Control model was presented. Here this architecture is further elaborated, described in more detail and experimentally evaluated.

Attacking GSM Networks as a Script Kiddie Using Commodity Hardware and Software

With the emergence of widely available hardware and software tools for GSM hacking, the security of cellular networks is threatened even by script kiddies. In this paper we present four different attacks in GSM networks, using commodity hardware as well as open source and freely available software tools. All attacks are performed using a common DVB-T TV tuner, which is used as a sniffer for the GSM radio interface, as well as an Arduino combined with a GSM shield that is used as a software programmable mobile phone. The attacks target both mobile users and the network, ranging from sniffing the signaling traffic to tracking and performing denial of service to the subscribers. Despite the script kiddie style of the attacks, their consequences are critical and threaten the normal operation of the cellular networks.

Secure energy management in Smart Energy Networks

Worldwide deployed power grids have provided seamless unidirectional power supply of electricity for decades. Recently, diverse environmental factors (e.g., depletion of primary energy resources, climate change) and the heterogeneous nature of energy production are calling for new solutions. Accordingly, the Smart-NRG project proposes a modular and flexible system architecture, new technologies, and simulation tools to meet the specifications of smart grid applications. In this paper, we give an overview of the system-level simulator proposed in previous work and we present new secure communication and energy management solutions for smart grids. Experimental and simulation results show the gains of a threshold-based energy management algorithm and the end-to-end delays required to secure the information flows in the network.

Towards trusted metering in the smart grid

With the evolution of the smart grid, most homes will be equipped with smart meters that support consumption reading, demand response and applications requiring two-way communications. In this context, security is a key aspect for smart grid adoption, especially since customers will have physical access to smart meters installed in their premises. Customers will be able to modify the software, firmware or hardware of the smart meter for their own benefit; additionally, remote attackers can mount cyber-attacks against smart meters. To address these challenges we have designed and evaluated a trusted computing environment for smart meters that provides secure storage of cryptographic keys and sensitive data, remote attestation, and protection to sensitive smart grid applications. The performance evaluation shows that our proposal is efficient and can be applied to embedded devices, like smart meters.