Shiuh-Pyng Shieh

Refereed paper: Password authentication schemes with smart cards

In this paper, two password authentication schemes with smart cards are proposed. In the schemes, users can change their passwords freely, and the remote system does not need the directory of passwords or verification tables to authenticate users. Once the secure network environment is set up, authentication can be handled solely by the two parties involved. For a network without synchronized clocks, the proposed nonce-based authentication scheme is able to prevent malicious reply attacks.

On a pattern-oriented model for intrusion detection

Operational security problems, which are often the result of access authorization misuse, can lead to intrusion in secure computer systems. We motivate the need for pattern-oriented intrusion detection, and present a model that tracks both data and privilege flows within secure systems to detect context-dependent intrusions caused by operational security problems. The model allows the uniform representation of various types of intrusion patterns, such as those caused by unintended use of foreign programs and input data, imprudent choice of default privileges, and use of weak protection mechanisms. As with all pattern-oriented models, this model cannot be used to detect new, unanticipated intrusion patterns that could be detected by statistical models. For this reason, we expect that this model will complement, not replace, statistical models for intrusion detection.

IoT Security: Ongoing Challenges and Research Opportunities

The Internet of Things (IoT) opens opportunities for wearable devices, home appliances, and software to share and communicate information on the Internet. Given that the shared data contains a large amount of private information, preserving information security on the shared data is an important issue that cannot be neglected. In this paper, we begin with general information security background of IoT and continue on with information security related challenges that IoT will encountered. Finally, we will also point out research directions that could be the future work for the solutions to the security challenges that IoT encounters.

A pattern-oriented intrusion-detection model and its applications

Operational security problems can lead to intrusion in secure computer systems. The authors justify the need for, and present, a pattern-oriented intrusion-detection model that can be used to analyze object privilege and data flows in secure computer systems to detect operational security problems. This model can address context-dependent intrusion, such as use of covert-storage channels and virus propagation, and has been used to build an intrusion detection system for Trusted XENIX. Pattern-oriented intrusion detection is expected to complement, not replace, current statistical approaches to intrusion detection.<<ETX>>

An efficient broadcast authentication scheme in wireless sensor networks

A broadcast authentication mechanism is important in wireless sensor networks, assuring receivers of a packets validity. To provide authentication, some researchers utilize one way key chains and delayed disclosure of keys; however, such an approach requires time synchronization and delayed authentication. Another technique uses one-time signature schemes. Unfortunately, such schemes suffer from large key sizes and a limited number of uses per key. To cope with these problems, we propose an efficient, one-time signature-based broadcast authentication scheme for wireless sensor networks that reduces storage usage and includes a re-keying mechanism.

Efficient key distribution schemes for secure media delivery in pay-TV systems

To provide secure media delivery in pay-TV systems, a large number of messages are exchanged for key updates in the conventional key distribution schemes. This is inefficient and costly when the client side (set-top box) uses a smart card with limited computing power. In this paper, we present three key distribution schemes for channel protection and secure media delivery in pay-TV systems. With the proposed schemes, encryption keys of the subscribed programs can be efficiently and securely distributed to the authorized subscribers. Only one message is needed to renew key in the key distribution schemes for subscription channel protection. In addition, we use simpler computation functions, including one-way hash function and exclusive-OR operation, for key updates to reduce the computation cost. With our key distribution schemes, only authorized subscribers can watch the subscribed programs correctly. Unauthorized subscribers have no information to retrieve the correct programs over the networks. Thus, service providers can charge their subscribers according to their subscriptions, and the illegal access of the media and video programs from networks can be prevented, based on the proposed schemes.

Secure encrypted-data aggregation for wireless sensor networks

This paper proposes a secure encrypted-data aggregation scheme for wireless sensor networks. Our design for data aggregation eliminates redundant sensor readings without using encryption and maintains data secrecy and privacy during transmission. Conventional aggregation functions operate when readings are received in plaintext. If readings are encrypted, aggregation requires decryption creating extra overhead and key management issues. In contrast to conventional schemes, our proposed scheme provides security and privacy, and duplicate instances of original readings will be aggregated into a single packet. Our scheme is resilient to known-plaintext attacks, chosen-plaintext attacks, ciphertext-only attacks and man-in-the-middle attacks. Our experiments show that our proposed aggregation method significantly reduces communication overhead and can be practically implemented in on-the-shelf sensor platforms.

Digital multisignature schemes for authenticating delegates in mobile code systems

In this paper, we motivate the need for efficient multisignature schemes in delegated mobile services. With the schemes, delegates can be identified and delegated accesses can be controlled. First, we give a new digital signature scheme with message recovery. Based on the digital signature scheme, two digital multisignature schemes are proposed: the parallel multisignature scheme and the serial multisignature scheme. The parallel multisignature scheme allows each user to sign the same message separately and independently, and then combines all individual signatures into a multisignature. The serial multisignature scheme allows a group of users to sign the message serially, and does not need to predetermine the signing order. Both multisignature schemes can withstand the attacks that aim to forge the signatures or to get the private keys of the signers.

Keystroke statistical learning model for web authentication

Keystroke typing characteristics is considered as one of the important biometric features that can be used to protect users against malicious attacks. In this paper we propose a statistical model for web authentication with keystroke typing characteristics based on Hidden Markov Model and Gaussian Modeling from Statistical Learning Theory. Our proposed model can substantially enhance the accuracy of the identity authentication by analyzing keystroke timing information of the username and password. Results of the experiments showed that our scheme achieved by far the best error rate of 2.54%.

Defending against spoofed DDoS attacks with path fingerprint

In this paper, we propose a new scheme, called ANTID, for detecting and filtering DDoS attacks which use spoofed packets to circumvent the conventional intrusion detection schemes. The proposed anti-DDoS scheme intends to complement, rather than replace conventional schemes. By embedding in each IP packet a unique path fingerprint that represents the route an IP packet has traversed, ANTID is able to distinguish IP packets that traverse different Internet paths. In ANTID, a server maintains for each of its communicating clients the mapping from the clients IP address to the corresponding path fingerprint. The construction and renewal of these mappings is performed in an on-demand fashion that helps to reduce the cost of maintenance. With presence of the mapping table, the onset of a spoofed DDoS attack can be detected by observing a surge of spoofed packets. Consequently, spoofed attack packets are filtered so as to sustain the quality of protected Internet services. ANTID is lightweight, robust, and incrementally deployable. Our experiment results showed that the proposed scheme can detect 99.95% spoofed IP packets and can discard them with little collateral damage to legitimate clients. It also showed that the higher the aggregated attack rate is, the sooner the attack can be detected.