William R. Claycomb

A novel node level security policy framework for wireless sensor networks

Wireless sensor networks are commonly used for critical security tasks such as intrusion or tamper detection, and therefore must be protected. To date, security of these networks relies mostly on key establishment and routing protocols. We present an approach to protecting wireless sensor networks based on a security policy, enforced at the node level. This policy is based on a new approach to key establishment, which combines a group-based distribution model and identity-based cryptography. Using this solution enables nodes to authenticate each other, and provides them with a structure to build secure communications between one another, and between various groups. Using our key establishment protocol and security policy, we show how to reduce or prevent significant attacks on wireless sensor networks.

Using A Two Dimensional Colorized Barcode Solution for Authentication in Pervasive Computing

The task of establishing secure communication in a wireless pervasive computing environment faces several challenges. One of the most critical is determining the authenticity of the parties wishing to communicate. An existing method of enabling authenticated key agreement involves using a two-dimensional visual code system with digital camera enabled devices as a way of demonstratively identifying entities. This paper seeks to extend that solution by colorizing the code system, thereby extending the amount of data which can be carried by a visual tag, and thus reducing the necessary size of such tags. This create images more easily recognized by the devices establishing secure communication in wireless pervasive computing environments. A detailed explanation of an implementation of this method is presented, along with performance evaluation and analysis

Secure device pairing using audio

Secure device pairing between mobile devices is a challenging task. The lack of a trusted authority and low computational power make it difficult for mobile devices to establish secure communication channels in ubiquitous computing environments. Solutions have been proposed using locationlimited channels to transmit secure pairing information that can be verified as originating from the intended device, enabling users to establish secure channels over insecure mediums. Of particular interest is using audio as a location-limited channel, due to the widespread deployment of audio capabilities on mobile devices. We describe a solution for secure device pairing using audio, called UbiSound, which only requires a single audio transmission to authenticate both devices. We describe our communication protocol, implementation details and results, and discuss how our solution is resistant to a number of attacks. Additionally, we emphasize how our solution is usable for visually impaired users.

Toward role-based provisioning and access control for infrastructure as a service (IaaS)

Cloud computing has drawn much attention in recent years. One of its service models, called infrastructure as a service (IaaS), provides users with infrastructure services such as computation and data storage, heavily dependent upon virtualization techniques. Most of the current IaaS providers take the user-resource direct mapping approach for their business, where individual users are the only type of service consumer who can request and use virtualized resources as long as they pay for the usage. Therefore, in this approach, the users and virtual resources are centrally managed at the IaaS providers. However, this also results in the lack of support for scalable authorization management of users and resources, organization-level policy support, and flexible pricing for business users. Considering the increasing popularity and growing user base of cloud computing, there is a strong need for a more flexible IaaS model with a finer grained access control mechanism than the aforementioned all-or-nothing approach. In this paper we propose a domain-based, decentralized framework for provisioning and managing users and virtualized resources in IaaS. Specifically, an additional layer called domain is introduced to the user-resource direct mapping scheme, whereby de-centralization of user and resource management is facilitated. Our framework also allows the IaaS service provider to delegate its administrative routines to domains so that each domain is able to manage its users and virtualized resources allocated by the IaaS provider. Our domain-based approach offers benefits such as scalable user/resource management, domain-based security and governance policy support, and flexible pricing.

Towards Privacy in Enterprise Directory Services: A User-Centric Approach to Attribute Management

Enterprise directory services (EDS) are commonly used to store attributes related to individual users within a corporation, and provide those attributes to authorized users upon request. These attributes may contain sensitive personal information, such as citizenship or social security numbers. Consequently, access to such information is generally controlled, usually by traditional methods such as access control lists. However, if a user-centric identity management model is considered, in which users control their own information and control access to that information, traditional EDS implementations do not provide complete protection from a user perspective. We propose combining public key infrastructure, user-centric identity management, and EDS to allow users control of the personal information stored within a directory as well as who is allowed to access that information. We demonstrate how a user may employ PKI to encrypt individual attributes, then share decryption information with selected entities. Among other advantages, this solution eliminates the possibility of administrative access to users information, a potential threat that exists within many EDS

Detecting insider activity using enhanced directory virtualization

Insider threats often target authentication and access control systems, which are frequently based on directory services. Detecting these threats is challenging, because malicious users with the technical ability to modify these structures often have sufficient knowledge and expertise to conceal unauthorized activity. The use of directory virtualization to monitor various systems across an enterprise can be a valuable tool for detecting insider activity. The addition of a policy engine to directory virtualization services enhances monitoring capabilities by allowing greater flexibility in analyzing changes for malicious intent. The resulting architecture is a system-based approach, where the relationships and dependencies between data sources and directory services are used to detect an insider threat, rather than simply relying on point solutions. This paper presents such an architecture in detail, including a description of implementation results.

Authenticated Dictionary-Based Attribute Sharing in Federated Identity Management

Authenticated dictionaries have been primarily studied and used in the context of certificate revocation in public key infrastructure (PKI). This paper presents a novel approach to enabling controlled access to and selective sharing of sensitive user attributes in federated identity management (FIM) by integrating an authenticated dictionary (ADT)-based credential into FIM, while attempting to achieve both better privacy control and usability. Our approach is motivated by the notion of user-centricity, which is essentially to give users a larger degree of control over their attributes. We discuss the design of a security system based on the usage of ADT-based credentials. Finally we discuss a proof-of-concept implementation.

Towards secure resource sharing for impromptu collaboration in pervasive computing

Access control in mobile and pervasive computing is a complex issue, with many aspects relating to the establishment, management, and enforcement of methods and policies that allow mobile devices to share resources with each other. Communication between mobile devices can arise spontaneously, involve the sharing of few resources between heterogeneous platforms, and only need to be maintained for a short time. Additionally, the devices often communicate with each other a single time, and have no pre-shared secret or a priori knowledge of the other device. In this paper we propose a secure solution for providing controlled access to local resources in mobile and pervasive computing environments. Our solution incorporates demonstrative verification of security credentials, a key-based capability delegation, and easy to use access control features in order to provide simple access with low maintenance costs. It is particularly designed for one-time-only communication between mobile-to-mobile or mobile-to-kiosk devices.

A Framework for Enabling User-Controlled Persona in Online Social Networks

As the use of personal information in social network sites seems manifold, including the representation of an individuals digital persona (or social role) and identification, so does the abuse or misuse of the information. The issue of privacy is critically important in this context. In this paper we present a novel framework for enabling user-controlled sharing of sensitive personal information for better privacy protection in current online social networks. Specifically, the framework called U-Control is proposed to facilitate digital persona and privacy management (DPPM) in a user-centric way that it can satisfy diverse privacy requirements and specification, and social network environments. We discuss the design of a security system based on the proposed framework. Finally we discuss a proof-of-concept implementation, along with performance evaluation.

Threat modeling for virtual directory services

Directory services are corporate computing objects responsible for providing information about user accounts, computer accounts, contacts, etc. Virtual directories are powerful tools for consolidating this data, modifying it if necessary, and presenting it to the end user in a highly customized manner. While attacks against directory services have been identified, attacks and vulnerabilities of virtual directories remain largely unstudied. In this paper, we present an analysis of four types of attacks on virtual directory services. In doing so, we describe how each is performed, and discuss how to detect and prevent each type of attack. This first step towards protecting virtual directory services is critical to protecting the information contained in the source directories - information which could potentially contain sensitive data and be used for authentication and/or access control decisions.