Yunhui Zhuang

A Highly Efficient RFID Distance Bounding Protocol without Real-Time PRF Evaluation

There is a common situation among current distance bounding protocols in the literature: they set the fast bit exchange phase after a slow phase in which the nonces for both the reader and a tag are exchanged. The output computed in the slow phase is acting as the responses in the subsequent fast phase. Due to the calculation constrained RFID environment of being lightweight and efficient, it is the important objective of building the protocol which can have fewer number of message flows and less number of cryptographic operations in real time performed by the tag. In this paper, we propose a new highly efficient mutually-authenticated RFID distance bounding protocol that enables pre-computation which is carried out off-line by the tag. There is no evaluation on any PRF during the real time protocol running which makes the tag significantly more efficient at a low-cost. The protocol requires only O(1) complexity for achieving tag privacy. In addition, we give a detailed security analysis to prove that our protocol is secure against all common attacks in distance bounding.

A New Unpredictability-Based RFID Privacy Model

Ind-privacy and unp-privacy, later refined to unp*-privacy, are two different classes of privacy models for RFID authentication protocols. These models have captured the major anonymity and untraceability related attacks regarding RFID authentication protocols with privacy, and existing work indicates that unp*-privacy seems to be a stronger notion when compared with ind-privacy. In this paper, we continue studying the RFID privacy models, and there are two folds regarding our results. First of all, we describe a new traceability attack and show that schemes proven secure in unp*-privacy may not be secure against this new and practical type of traceability attacks. We then propose a new unpredictability-based privacy model to capture this new type of attacks. Secondly, we show that this new model, where we called it the unp τ -privacy, is stronger than both unp*-privacy and ind-privacy.

How to Demonstrate Our Presence Without Disclosing Identity? Evidence from a Grouping-Proof Protocol

The recent hot debate on sharing economy has been an emergence in a dynamic ownership economy, which attracts lots of attentions in the news media. The concept and practice of resource sharing have been fast becoming a mainstream phenomenon across the world. People share assets to their friends via Internet or smartphones. Meanwhile, researchers are now beginning to weigh in with deeper analysis in terms of security and privacy, which turn out to be one critical area of argument when sharing the items with others. To securely track the location of an item is of high importance in many mobile applications, which rely heavily on the notion of device proximity. In addition to securely and precisely determining an items location, it is also desirable to preserve the privacy and untraceability of the item. Grouping-proof protocols are often used to prove the presence of a group of Provers to the Verifier at the same time. In this paper, we propose a new grouping-proof protocol that is well deployed in proximity identification systems for sharing economy, where each Prover needs to demonstrate its presence to the Verifier without disclosing its real identity. Our protocol is mutually authenticated and secure against all known attacks in a grouping-proof setting. Furthermore, the protocol retains the untraceability of a tag through forward privacy and prevents de-synchronization attacks.

Matching in Proximity Authentication and Mobile Payment EcoSystem: What Are We Missing?

During the past decade, cybersecurity threats have drawn everyone’s attention and it’s becoming a national priority in many leading countries. With the development of sophisticated mobile technology, mobile (contactless) payment insecurity, which may cause huge financial losses, is now becoming a serious threat to our daily life. During the holiday season in 2013, China’s most welcome mobile payment system provider - Alipay - lost over 20 GB worth of customer data in a security breach, which affected at least 15 million customers. Even though the company has promised to evaluate the security of the system and to take necessary measures to protect customer’s data, are we still safe with the payment? In this paper, we investigate several security vulnerabilities for Alipay wallet, which may cause individual’s personal data and financial losses. This is due to not only less regulation by authorities but also the failure of enabling secure proximity authentication during mobile payment. By going through these surprising vulnerabilities, we come up with some ideas on how to combat them and show how to enhance the mobile payment security by enabling proximity authentication before monetary transactions.

When Innovation Meets Evolution: An Extensive Study of Emerging e-Learning Technologies for Higher Education in Hong Kong

With the rapid development of sophisticated technologies, many innovative e-Learning tools or applications with increased inter-activities and improved features have been adopted in tertiary institutions. This paper serves as a platform for industry and academia to exchange higher education practices in innovative course and programme design. We investigate current practices in tertiary institutions with e-Learning technologies and applications to enhance academics’ teaching excellences and research capabilities in order to achieve social, cultural, environmental, or economic impacts. In particular, we investigate all public universities and one private college in Hong Kong in terms of various e-Learning technologies. The results demonstrate that all these e-Learning technologies for being used in higher education help to enhance teaching and learning experiences, and make it more efficient and effective. Students can also benefit from these e-Learning technologies to become life-long learners. Moreover, by taking a closer look at current e-Learning technology trends, we list some possible e-Learning applications and tools that are expected to surge in the coming years.

Exploring relationship between indistinguishability-based and unpredictability-based RFID privacy models

Abstract A comprehensive privacy model plays a vital role in the design of privacy-preserving RFID authentication protocols. Among various existing RFID privacy models, indistinguishability-based (ind-privacy) and unpredictability-based (unp-privacy) privacy models are the two main categories. Unp ∗ -privacy, a variant of unp-privacy has been claimed to be stronger than ind-privacy. In this paper, we focus on studying RFID privacy models and have three-fold contributions. We start with revisiting unp ∗ -privacy model and figure out a limitation of it by giving a new practical traceability attack which can be proved secure under unp ∗ -privacy model. To capture this kind of attack, we improve unp ∗ -privacy model to a stronger one denoted as unp τ -privacy. Moreover, we prove that our proposed privacy model is stronger than ind-privacy model. Then, we explore the relationship between unp ∗ -privacy and ind-privacy, and demonstrate that they are actually not comparable, which is in contrast to the previous belief. Next, we present a new RFID mutual authentication protocol and prove that it is secure under unp τ -privacy model. Finally, we construct a RFID mutual authentication model denoted as M A model, and show that unp τ -privacy implies M A , which gives a reference to design a privacy-preserving RFID mutual authentication protocol. That is, if we propose a scheme that satisfies unp τ -privacy, then it also supports mutual authentication.

On Security and Privacy of Quick Response System in Classroom Teaching

The Quick Response System (QRS) consists of a 2-D machine- readable QR Codes and a mobile-friendly user interface. The QR Codes can be encoded to different types of information. Because of QR code’s high information density and robustness, it has gained popularity in many applications across various industries. Recently, some universities and colleges have adopted QR Code into classroom teaching, by taking advantage of its instant feedback from students, instructors may have immediate understanding of whether students have understood a concept. The QR code can be used for polling, tutorials, and quizzes. However, it is crucial to protect against personal data from disclosure and to prove student identity, especially in the event of an in-class QR Code-based quiz. In this paper, we explore some potential security breaches and privacy concerns for QR codes in classroom teaching, and propose some design requirements with respect to the QR code itself. We also suggest to apply a grouping-proof protocol to authenticate all students identity before starting a quiz. This paper sheds some lights on future research directions in QR code design and processing.