Hyunsoo Kwon

Secure deduplication for multimedia data with user revocation in cloud storage

Increment of multimedia data motivates users to utilize cloud storage (CS) to exploit its massive size. For this extensible storage system, there are two desirable requirements: (1) the users should be able to ensure that their outsourced data is securely protected and (2) the cloud service provider should be able to eliminate redundant copies of data for improvement of storage utilization. Conventional encryption scheme does not satisfy the deduplication on ciphertext as it destroys message equality. Recent study, DupLESS, has enhanced Convergent Encryption (CE) and provided strong privacy. However, CE-based scheme allows the users to possibly decrypt cloud data even if the user loses his ownership to the data. In order to solve this problem, we propose a secure deduplication scheme with user revocation. Our scheme leverages oblivious pseudo-random function to generate encryption key. The CS enforces data access policy using privilege-based encryption to provide user revocation. The security analysis proves that the proposed scheme is secure against unauthorized decryption by revoked users or the cloud server, and brute-force attack on predictable set of data.

Privacy-preserving public auditing for educational multimedia data in cloud computing

Nowadays, as distance learning is being widly used, multimedia data becomes an effective way for delivering educational contents in online educational systems. To handle the educational multimedia data efficiently, many distance learning systems adopt a cloud storage service. Cloud computing and storage services provide a secure and reliable access to the outsourced educational multimedia contents for users. However, it brings challenging security issues in terms of data confidentiality and integrity. The straightforward way for the integrity check is to make the user download the entire data for verifying them. But, it is inefficient due to the large size of educational multimedia data in the cloud. Recently many integrity auditing protocols have been proposed, but most of them do not consider the data privacy for the cloud service provider. Additionally, the previous schemes suffer from dynamic management of outsourced data. In this paper, we propose a public auditing protocol for educational multimedia data outsourced in the cloud storage. By using random values and a homomorphic hash function, our proposed protocol ensures data privacy for the cloud and the third party auditor (TPA). Also, it is secure against lose attack and temper attack. Moreover, our protocol is able to support fully dynamic auditing. Security and performance analysis results show that the proposed scheme is secure while guaranteeing minimum extra computation costs.

Secure authentication using ciphertext policy attribute-based encryption in mobile multi-hop networks

With the dramatic increase of the number of mobile devices such as smartphones and tablet PCs, mobile traffic has increased enormously. Especially, the multimedia data accounts for bulk of the traffic transmitted in mobile networks. To accommodate this growth, device-to-device connection (D2D), which provides infra-connection off-loading, is receiving significant attention. However, we have observed that the majority of the current D2D protocols including Bluetooth and Wi-Fi Direct are vulnerable to man-in-the-middle (MITM) and replay attacks in mobile multi-hop networks. To resolve this problem, in this paper, we propose a novel D2D authentication protocol with a secure initial key establishment using ciphertext-policy attribute-based encryption (CP-ABE). By leveraging CP-ABE, the proposed scheme allows the communicating parties to mutually authenticate and derive the link key in an expressive and secure manner in a multi-hop network environment. We also propose several variations of the proposed scheme for different scenarios in a multi-hop networks without network infrastructure. We prove that the proposed scheme is secure against MITM and replay attack in D2D mobile multi-hop networks. Experimental results indicate that the proposed scheme incurs reasonable computation cost in the real world.

Secure Device-to-Device Authentication in Mobile Multi-hop Networks

In order to deal with drastically increasing mobile traffic these days, device to device connection (D2D) which provides infra-connections off-loading is getting a lot of attention. However, we observed that most of the current D2D protocols such as Bluetooth and Wi-Fi Direct are not scalable, and vulnerable to main-in-the-middle (MITM) and replay attacks in mobile multi-hop networks. In this paper, we propose novel D2D authentication protocols with a secure initial key establishment using ciphertext-policy attribute-based encryption(CP-ABE) to solve this problem. By exploiting CP-ABE, the proposed scheme allows the communicating parties to mutually authenticate each other and derive the link key in an expressive and secure way in the multi-hop network environment. According to the analysis results, the proposed scheme is secure against MITM and replay attacks in the D2D mobile multi-hop networks.

Efficient Attribute-Based Secure Data Sharing with Hidden Policies and Traceability in Mobile Health Networks

Mobile health (also written as mHealth) provisions the practice of public health supported by mobile devices. mHealth systems let patients and healthcare providers collect and share sensitive information, such as electronic and personal health records (EHRs) at any time, allowing more rapid convergence to optimal treatment. Key to achieving this is securely sharing data by providing enhanced access control and reliability. Typically, such sharing follows policies that depend on patient and physician preferences defined by a set of attributes. In mHealth systems, not only the data but also the policies for sharing it may be sensitive since they directly contain sensitive information which can reveal the underlying data protected by the policy. Also, since the policies usually incur linearly increasing communication costs, mHealth is inapplicable to resource-constrained environments. Lastly, access privileges may be publicly known to users, so a malicious user could illegally share his access privileges without the risk of being traced. In this paper, we propose an efficient attribute-based secure data sharing scheme in mHealth. The proposed scheme guarantees a hidden policy, constant-sized ciphertexts, and traces, with security analyses. The computation cost to the user is reduced by delegating approximately 50% of the decryption operations to the more powerful storage systems.

A secure OTP algorithm using a smartphone application

Recently, several authentication protocols are being used in mobile applications. OTP is one of the most powerful authentication methods among them. However, it has some security vulnerabilities, particularly to MITM(Man-in-the-Middle) attack and MITPC/Phone(Man-in-the-PC/Phone) attack. An adversary could know a valid OTP value and be authenticated with this secret information in the presence of those attacks. To solve these problems, we propose a novel OTP algorithm and compare it with existing algorithms. The proposed scheme is secure against MITM attack and MITPC/Phone attack by using a captcha image, IMSI number embedded in SIM card and limiting available time of an attack.

Scalable and Reliable Key Management for Secure Deduplication in Cloud Storage

Secure deduplication using convergent encryption eliminates duplicate data and stores only one copy to save storage costs while preserving the security of the outsourced data. However, convergent encryption produces a number of encryption keys, of which size is linear to the number of different data. Although a deduplication scheme has been proposed for efficient convergent key management recently, it has drawbacks in terms of scalability and key management security. In order to solve these problems, we propose a novel secure deduplication scheme with scalable and reliable key management based on paring-based cryptography. The proposed scheme does not require additional secure channels to distribute key components while still guaranteeing secure key management as opposed to the previous schemes.

Enhanced authentication for outsourced educational contents through provable block possession

In recent years, the volume of educational contents has been explosively increased thanks to the rapid development of multimedia technologies. Furthermore, the development of smart devices has made various educational institutes use them as effective learning tools. Since more and more educational contents become available not only at school zone but at a variety of online learning systems, it becomes increasingly unaffordable for a single educational contents provider to store and process them locally. Therefore, many educational contents providers are likely to outsource the contents to cloud storage for cost saving. These phenomena raise one serious concern: how to authenticate educational contents users in a secure and efficient way? The most widely used password-based authentication suffers from numerous drawbacks in terms of security. Multi-factor authentication protocols based on diverse communication channels such as SMS, biometric, hardware token could enhance security, however they inevitably bring poor usability. To this end, we present a data block-based authentication scheme, which provides provable security and guarantees usability invariant such that users do nothing but entering a password. In addition, the proposed scheme supports efficient user revocation. To the best of our knowledge, our scheme is the first data block-based authentication scheme for outsourced educational contents that is provably secure without usability degradation. The experiment on Amazon EC2 cloud shows that the proposed scheme guarantees nearly constant time for user authentication.

A Practical De-mixing Algorithm for Bitcoin Mixing Services

Bitcoin mixing services improve anonymity by breaking the connection between Bitcoin addresses. In the darkweb environment, many illegal trades, such as in drugs or child pornography, avoid their transactions being traced by exploiting mixing services. Therefore, de-mixing algorithms are needed to identify illegal financial flows and to reduce criminal activity. Unfortunately, to the best of our knowledge, few studies on analyzing mixing services and de-anonymizing transactions have been proposed. In this paper, we conduct an in-depth analysis of real-world mixing services, and propose a de-mixing algorithm for Helix, one of the most widely used Bitcoin mixing services. The proposed algorithm de-anonymizes the relationship between the input and output addresses of mixing services by exploiting the static and dynamic parameters of mixing services. Our experiment showed that, we could identify the relationships between the input and output addresses of the Helix mixing service with a 99.14% accuracy rate.

A Practical Analysis of TLS Vulnerabilities in Korea Web Environment

TLS protocol provides a secure communication environment by guaranteeing the confidentiality and the integrity of transmitted data between two parties. However, there have been lots of vulnerabilities in TLS protocol and attacks exploiting them in aspects of protocol, implementation, and cryptographic tools. In spite of the lessons learned from the past experiences, various attacks on the network systems are being reported continuously due to the lack of care with regard to the proper TLS deployment and management. In this paper, we investigate TLS vulnerabilities in Korea’s top 100 websites selected from Alexa global top 500 sites and 291 Korea’s public enterprise websites. We compare the analysis results with those of Alexa global top 100 websites. Then, we discuss the lessons learned from this study. In order to analyze TLS vulnerabilities efficiently, we developed a TLS vulnerability scanner, called Network Vulnerabilities Scanner (NVS). We also analyze e-mail security of Korea’s top 3 e-mail service providers, which are supposed to be secured by TLS. Interestingly, we found that the e-mail service of them is not so secured by TLS as opposed to the analysis of Google’s transparency report.