Pub Date : 2013-07-29DOI: 10.5220/0004507903210330
Y. Zolotavkin, M. Juhola
A new watermarking method based on Singular Value Decomposition is proposed in this paper. The method uses new embedding rules to store a watermark in orthogonal matrix U that is preprocessed in advance in order to fit a proposed model of orthogonal matrix. Some experiments involving common distortions for grayscale images were done in order to confirm efficiency of the proposed method. The robustness of watermark embedded by our method was higher for all the proposed rules under condition of jpeg compression and in some cases outperformed existing method for more than 46%.
{"title":"SVD-based digital image watermarking on approximated orthogonal matrix","authors":"Y. Zolotavkin, M. Juhola","doi":"10.5220/0004507903210330","DOIUrl":"https://doi.org/10.5220/0004507903210330","url":null,"abstract":"A new watermarking method based on Singular Value Decomposition is proposed in this paper. The method uses new embedding rules to store a watermark in orthogonal matrix U that is preprocessed in advance in order to fit a proposed model of orthogonal matrix. Some experiments involving common distortions for grayscale images were done in order to confirm efficiency of the proposed method. The robustness of watermark embedded by our method was higher for all the proposed rules under condition of jpeg compression and in some cases outperformed existing method for more than 46%.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"81 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116225284","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004525205120517
Nirali R. Nanavati, D. Jinwala
Collaborative data mining has become very useful today with the immense increase in the amount of data collected and the increase in competition. This in turn increases the need to preserve the participants' privacy. There have been a number of approaches proposed that use Secret Sharing for privacy preservation for Secure Multiparty Computation (SMC) in different setups and applications. The different multiparty scenarios may have parties that are semi-honest, rational or malicious. A number of approaches have been proposed for semi honest parties in this setup. The problem however is that in reality we have to deal with parties that act in their self-interest and are rational. These rational parties may try and attain maximum gain without disrupting the protocol. Also these parties if cautioned would correct themselves to have maximum individual gain in the future. Thus we propose a new practical game theoretic approach with three novel punishment policies with the primary advantage that it avoids the use of expensive techniques like homomorphic encryption. Our proposed approach is applicable to the secret sharing scheme among rational parties in distributed data mining. We have analysed theoretically the proposed novel punishment policies for this approach. We have also empirically evaluated and implemented our scheme using Java. We compare the punishment policies proposed in terms of the number of rounds required to attain the Nash equilibrium with eventually no bad rational nodes with different percentage of initial bad nodes.
{"title":"A game theory based repeated rational secret sharing scheme for privacy preserving distributed data mining","authors":"Nirali R. Nanavati, D. Jinwala","doi":"10.5220/0004525205120517","DOIUrl":"https://doi.org/10.5220/0004525205120517","url":null,"abstract":"Collaborative data mining has become very useful today with the immense increase in the amount of data collected and the increase in competition. This in turn increases the need to preserve the participants' privacy. There have been a number of approaches proposed that use Secret Sharing for privacy preservation for Secure Multiparty Computation (SMC) in different setups and applications. The different multiparty scenarios may have parties that are semi-honest, rational or malicious. A number of approaches have been proposed for semi honest parties in this setup. The problem however is that in reality we have to deal with parties that act in their self-interest and are rational. These rational parties may try and attain maximum gain without disrupting the protocol. Also these parties if cautioned would correct themselves to have maximum individual gain in the future. Thus we propose a new practical game theoretic approach with three novel punishment policies with the primary advantage that it avoids the use of expensive techniques like homomorphic encryption. Our proposed approach is applicable to the secret sharing scheme among rational parties in distributed data mining. We have analysed theoretically the proposed novel punishment policies for this approach. We have also empirically evaluated and implemented our scheme using Java. We compare the punishment policies proposed in terms of the number of rounds required to attain the Nash equilibrium with eventually no bad rational nodes with different percentage of initial bad nodes.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122602584","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004600105550560
L. Malina, J. Hajny, Zdenek Martinasek
This paper presents a novel proposal of group signatures with verifier-local revocation employing a natural expiration to ensure an efficient verification of signatures and a revocation check. Current group signatures have an expensive verification phase which takes several pairing operations and checks a long-sized revocation list, especially, if a large number of users are in the group. Generally, the revocation list grows linearly every time when a new revoked user is added into the list unless group parameters and keys are not reinitialized. Nevertheless, the reinitialization is not feasible and burdens the communication overhead in many communication systems. In these schemes, the verification of several signatures with the long-sized revocation list takes too much time. Our proposed group signature scheme offers the more efficient verification phase which employs the revocation list that is reduced in time by a natural expiration of group member secret keys. Due to an optimization in the verification phase, our scheme is more efficient than related solutions.
{"title":"Efficient group signatures with verifier-local revocation employing a natural expiration","authors":"L. Malina, J. Hajny, Zdenek Martinasek","doi":"10.5220/0004600105550560","DOIUrl":"https://doi.org/10.5220/0004600105550560","url":null,"abstract":"This paper presents a novel proposal of group signatures with verifier-local revocation employing a natural expiration to ensure an efficient verification of signatures and a revocation check. Current group signatures have an expensive verification phase which takes several pairing operations and checks a long-sized revocation list, especially, if a large number of users are in the group. Generally, the revocation list grows linearly every time when a new revoked user is added into the list unless group parameters and keys are not reinitialized. Nevertheless, the reinitialization is not feasible and burdens the communication overhead in many communication systems. In these schemes, the verification of several signatures with the long-sized revocation list takes too much time. Our proposed group signature scheme offers the more efficient verification phase which employs the revocation list that is reduced in time by a natural expiration of group member secret keys. Due to an optimization in the verification phase, our scheme is more efficient than related solutions.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127793240","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004523501230134
E. Ciancamerla, M. Minichino, S. Palmieri
There is an increasing concern over the cyber security of Critical Infrastructures (CI) due to the increasing ability of cyber attackers to cause even catastrophic failures. It is mainly due to the pervasiveness of ICT (Information and Communication Technologies) and to the consequent de isolation of SCADA (Supervision, Control and Data Acquisition) system, which represents the nervous system of most CIs. Cyber attacks could block the connection between SCADA Control Centre and its remote devices or insert fake commands/measurements in the equipment communications. With reference to an actual case study, constituted by a SCADA system controlling a portion of a medium voltage power grid and a corporate network, we discuss how cyber threats, vulnerabilities and attacks might degrade the functionalities of SCADA and corporate network, which, in turn, might lead to outages of the electrical grid. We represent SCADA and corporate network under malware propagation, Denial of Service and Man In The Middle attacks and predict their consequent performance degradation. Particularly, we use NetLogo to identify possible malware propagation in relation to SCADA & corporate security policies adopted from the utility and NS2 simulator to compute the consequences of the attacks on SCADA and in turn on power grid.
{"title":"Modelling SCADA and corporate network of a medium voltage power grid under cyber attacks","authors":"E. Ciancamerla, M. Minichino, S. Palmieri","doi":"10.5220/0004523501230134","DOIUrl":"https://doi.org/10.5220/0004523501230134","url":null,"abstract":"There is an increasing concern over the cyber security of Critical Infrastructures (CI) due to the increasing ability of cyber attackers to cause even catastrophic failures. It is mainly due to the pervasiveness of ICT (Information and Communication Technologies) and to the consequent de isolation of SCADA (Supervision, Control and Data Acquisition) system, which represents the nervous system of most CIs. Cyber attacks could block the connection between SCADA Control Centre and its remote devices or insert fake commands/measurements in the equipment communications. With reference to an actual case study, constituted by a SCADA system controlling a portion of a medium voltage power grid and a corporate network, we discuss how cyber threats, vulnerabilities and attacks might degrade the functionalities of SCADA and corporate network, which, in turn, might lead to outages of the electrical grid. We represent SCADA and corporate network under malware propagation, Denial of Service and Man In The Middle attacks and predict their consequent performance degradation. Particularly, we use NetLogo to identify possible malware propagation in relation to SCADA & corporate security policies adopted from the utility and NS2 simulator to compute the consequences of the attacks on SCADA and in turn on power grid.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"57 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129277032","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004526303710378
Ji-Jian Chin, R. Phan, R. Behnia, Swee-Huay Heng
Identity-based identification, first formalized independently by Bellare et al. and Kurosawa and Heng in 2004, still had the inherent key escrow problem, as the TA generating the user secret keys had full access to every user's secret key. In 2003, Al-Riyami and Paterson introduced the notion of certificateless cryptography, and subsequently many certificateless encryption, signature and other schemes were introduced in literature. However, to this date there are still no certificateless identification schemes in existence. Therefore, in this paper, we formalize the notion of certificateless identification schemes and construct the first concrete certificateless identification scheme.
Bellare et al.和Kurosawa and Heng于2004年首次独立形制了基于身份的身份识别,但由于生成用户秘钥的TA对每个用户的秘钥都有完全的访问权,因此身份识别仍然存在固有的密钥托管问题。2003年,Al-Riyami和Paterson引入了无证书加密的概念,随后文献中引入了许多无证书加密、签名等方案。但是,到目前为止,仍然没有无证书的身份查验办法。因此,在本文中,我们形式化了无证书标识方案的概念,并构造了第一个具体的无证书标识方案。
{"title":"An efficient and provably secure certificateless identification scheme","authors":"Ji-Jian Chin, R. Phan, R. Behnia, Swee-Huay Heng","doi":"10.5220/0004526303710378","DOIUrl":"https://doi.org/10.5220/0004526303710378","url":null,"abstract":"Identity-based identification, first formalized independently by Bellare et al. and Kurosawa and Heng in 2004, still had the inherent key escrow problem, as the TA generating the user secret keys had full access to every user's secret key. In 2003, Al-Riyami and Paterson introduced the notion of certificateless cryptography, and subsequently many certificateless encryption, signature and other schemes were introduced in literature. However, to this date there are still no certificateless identification schemes in existence. Therefore, in this paper, we formalize the notion of certificateless identification schemes and construct the first concrete certificateless identification scheme.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127851783","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004509903470354
Thomas Zefferer, Peter Teufl
For security-critical applications, the integrity and security of end-user devices is of particular importance. This especially applies to mobile applications that use smartphones to process security-critical data. Unfortunately, users often compromise the security of smartphones by disabling security features for convenience reasons or by unintentionally installing malware from untrusted application sources. Mobile device management (MDM) solutions overcome this problem by providing means to centrally manage and configure smartphones. However, MDM is mainly suitable for corporate environments but often cannot be applied in non-corporate fields of application such as m-banking or m-government. To address this problem, we propose an alternative approach to assure the security and integrity of smartphones. Our approach relies on a device assessor that evaluates the current state of a smartphone according to a security policy. Integration of this device assessor allows smartphone applications to condition the processing of security-critical data on the smartphone's compliance with a defined security policy. We have shown the practicability of the proposed approach by means of a concrete implementation for the Android platform. We have evaluated this implementation on different Android devices. Obtained results show that our approach constitutes an appropriate alternative for scenarios, in which MDM cannot be applied.
{"title":"Policy-based security assessment of mobile end-user devices an alternative to mobile device management solutions for Android smartphones","authors":"Thomas Zefferer, Peter Teufl","doi":"10.5220/0004509903470354","DOIUrl":"https://doi.org/10.5220/0004509903470354","url":null,"abstract":"For security-critical applications, the integrity and security of end-user devices is of particular importance. This especially applies to mobile applications that use smartphones to process security-critical data. Unfortunately, users often compromise the security of smartphones by disabling security features for convenience reasons or by unintentionally installing malware from untrusted application sources. Mobile device management (MDM) solutions overcome this problem by providing means to centrally manage and configure smartphones. However, MDM is mainly suitable for corporate environments but often cannot be applied in non-corporate fields of application such as m-banking or m-government. To address this problem, we propose an alternative approach to assure the security and integrity of smartphones. Our approach relies on a device assessor that evaluates the current state of a smartphone according to a security policy. Integration of this device assessor allows smartphone applications to condition the processing of security-critical data on the smartphone's compliance with a defined security policy. We have shown the practicability of the proposed approach by means of a concrete implementation for the Android platform. We have evaluated this implementation on different Android devices. Obtained results show that our approach constitutes an appropriate alternative for scenarios, in which MDM cannot be applied.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"53 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126693630","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004515203550362
S. Salva, Stassia R. Zafimiharisoa, Patrice Laurençot
The intent mechanism is a powerful feature of the Android platform that helps compose existing components together to build a Mobile application. However, hackers can leverage the intent messaging to extract personal data or to call components without credentials by sending malicious intents to components. This paper tackles this issue by proposing a security testing method which aims at detecting whether the components of an Android application are vulnerable to malicious intents. Our method takes Android projects and intent-based vulnerabilities formally represented with models called vulnerability patterns. The originality of our approach resides in the generation of partial specifications from configuration files and component codes to generate test cases. A tool, called APSET, is presented and evaluated with experimentations on some Android applications.
{"title":"Intent security testing: An Approach to testing the Intent-based vulnerability of Android components","authors":"S. Salva, Stassia R. Zafimiharisoa, Patrice Laurençot","doi":"10.5220/0004515203550362","DOIUrl":"https://doi.org/10.5220/0004515203550362","url":null,"abstract":"The intent mechanism is a powerful feature of the Android platform that helps compose existing components together to build a Mobile application. However, hackers can leverage the intent messaging to extract personal data or to call components without credentials by sending malicious intents to components. This paper tackles this issue by proposing a security testing method which aims at detecting whether the components of an Android application are vulnerable to malicious intents. Our method takes Android projects and intent-based vulnerabilities formally represented with models called vulnerability patterns. The originality of our approach resides in the generation of partial specifications from configuration files and component codes to generate test cases. A tool, called APSET, is presented and evaluated with experimentations on some Android applications.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125872213","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-05-22DOI: 10.5220/0004535104610468
Golam Sarwar, O. Mehani, R. Boreli, M. Kâafar
We investigate the limitations of using dynamic taint analysis for tracking privacy-sensitive information on Android-based mobile devices. Taint tracking keeps track of data as it propagates through variables, interprocess messages and files, by tagging them with taint marks. A popular taint-tracking system, TaintDroid, uses this approach in Android mobile applications to mark private information, such as device identifiers or user's contacts details, and subsequently issue warnings when this information is misused (e.g., sent to an un-desired third party). We present a collection of attacks on Android-based taint tracking. Specifically, we apply generic classes of anti-taint methods in a mobile device environment to circumvent this security technique. We have implemented the presented techniques in an Android application, ScrubDroid. We successfully tested our app with the TaintDroid implementations for Android OS versions 2.3 to 4.1.1, both using the emulator and with real devices. Finally, we evaluate the success rate and time to complete of the presented attacks. We conclude that, although taint tracking may be a valuable tool for software developers, it will not effectively protect sensitive data from the black-box code of a motivated attacker applying any of the presented anti-taint tracking methods.
我们研究了使用动态污点分析来跟踪基于android的移动设备上的隐私敏感信息的局限性。当数据通过变量、进程间消息和文件传播时,污点跟踪通过标记污点标记来跟踪数据。一个流行的污点跟踪系统,TaintDroid,在Android移动应用程序中使用这种方法来标记私人信息,如设备标识符或用户的联系方式,并随后在这些信息被滥用时发出警告(例如,发送给不受欢迎的第三方)。我们展示了一系列基于android的污染跟踪攻击。具体来说,我们在移动设备环境中应用通用类的防污染方法来规避这种安全技术。我们已经在Android应用程序ScrubDroid中实现了所介绍的技术。我们成功地在Android OS 2.3到4.1.1版本的TaintDroid实现中测试了我们的应用,同时使用模拟器和真实设备。最后,我们评估了攻击的成功率和完成时间。我们得出的结论是,尽管污染跟踪可能是软件开发人员的一个有价值的工具,但它不能有效地保护敏感数据免受恶意攻击者的黑盒代码的攻击,这些攻击者使用任何提出的反污染跟踪方法。
{"title":"On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices","authors":"Golam Sarwar, O. Mehani, R. Boreli, M. Kâafar","doi":"10.5220/0004535104610468","DOIUrl":"https://doi.org/10.5220/0004535104610468","url":null,"abstract":"We investigate the limitations of using dynamic taint analysis for tracking privacy-sensitive information on Android-based mobile devices. Taint tracking keeps track of data as it propagates through variables, interprocess messages and files, by tagging them with taint marks. A popular taint-tracking system, TaintDroid, uses this approach in Android mobile applications to mark private information, such as device identifiers or user's contacts details, and subsequently issue warnings when this information is misused (e.g., sent to an un-desired third party). We present a collection of attacks on Android-based taint tracking. Specifically, we apply generic classes of anti-taint methods in a mobile device environment to circumvent this security technique. We have implemented the presented techniques in an Android application, ScrubDroid. We successfully tested our app with the TaintDroid implementations for Android OS versions 2.3 to 4.1.1, both using the emulator and with real devices. Finally, we evaluate the success rate and time to complete of the presented attacks. We conclude that, although taint tracking may be a valuable tool for software developers, it will not effectively protect sensitive data from the black-box code of a motivated attacker applying any of the presented anti-taint tracking methods.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125019255","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-06-13DOI: 10.5220/0004504202750283
J. Bahi, Nicolas Friot, C. Guyeux
CIS2 is a steganographic scheme proposed formerly, belonging into the small category of algorithms being both stego and topologically secure. Due to its stego-security, this scheme is able to face attacks that take place into the “watermark only attack” framework. Its topological security reinforce its capability to face threats in other frameworks as “known message attack” or “known original attack”, in the Simmons' prisoner problem. In this research work, the study of topological properties of CIS2 is enlarged by describing this scheme as iterations over the real line, and investigating other security properties of topological nature as the Lyapunov exponent, that have been reported as important in the field of information hiding security. Results show that this scheme is able to withdraw a malicious attacker in the “estimated original attack” context too.
{"title":"Topological study and Lyapunov exponent of a secure steganographic scheme","authors":"J. Bahi, Nicolas Friot, C. Guyeux","doi":"10.5220/0004504202750283","DOIUrl":"https://doi.org/10.5220/0004504202750283","url":null,"abstract":"CIS2 is a steganographic scheme proposed formerly, belonging into the small category of algorithms being both stego and topologically secure. Due to its stego-security, this scheme is able to face attacks that take place into the “watermark only attack” framework. Its topological security reinforce its capability to face threats in other frameworks as “known message attack” or “known original attack”, in the Simmons' prisoner problem. In this research work, the study of topological properties of CIS2 is enlarged by describing this scheme as iterations over the real line, and investigating other security properties of topological nature as the Lyapunov exponent, that have been reported as important in the field of information hiding security. Results show that this scheme is able to withdraw a malicious attacker in the “estimated original attack” context too.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130526735","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.5220/0004508600620073
Lan Zhou, V. Varadharajan, M. Hitchens
Role-based access control (RBAC) model is a widely used access control model which can simplify security management in large-scale systems. Recently, several cryptographic RBAC schemes have been proposed to integrate cryptographic techniques with RBAC models to secure data storage in an outsourced environment such as a cloud. These schemes allow data to be encrypted in such a way that only the users who are members of an appropriate role can decrypt and view the data. However, the issue of trust in such a data storage system is not addressed in these schemes. In this paper, we propose trust models to improve the security of such a system which uses cryptographic RBAC schemes. The trust models provide an approach for the users and roles to determine the trustworthiness of individual roles and owners in the RBAC system. The users can use the trust models to decide whether to join a particular role for accessing data in the system. The roles can use the trust models in their decision to ensure that only data from data owners with good behaviours are accepted by the roles. The proposed trust models take into account role inheritance and hierarchy in the evaluation of trustworthiness of the roles. In addition, we present a design of a trust-based cloud storage system which shows how the trust models can be integrated into a system that uses cryptographic RBAC schemes.
{"title":"Trust-based secure cloud data storage with cryptographic role-based access control","authors":"Lan Zhou, V. Varadharajan, M. Hitchens","doi":"10.5220/0004508600620073","DOIUrl":"https://doi.org/10.5220/0004508600620073","url":null,"abstract":"Role-based access control (RBAC) model is a widely used access control model which can simplify security management in large-scale systems. Recently, several cryptographic RBAC schemes have been proposed to integrate cryptographic techniques with RBAC models to secure data storage in an outsourced environment such as a cloud. These schemes allow data to be encrypted in such a way that only the users who are members of an appropriate role can decrypt and view the data. However, the issue of trust in such a data storage system is not addressed in these schemes. In this paper, we propose trust models to improve the security of such a system which uses cryptographic RBAC schemes. The trust models provide an approach for the users and roles to determine the trustworthiness of individual roles and owners in the RBAC system. The users can use the trust models to decide whether to join a particular role for accessing data in the system. The roles can use the trust models in their decision to ensure that only data from data owners with good behaviours are accepted by the roles. The proposed trust models take into account role inheritance and hierarchy in the evaluation of trustworthiness of the roles. In addition, we present a design of a trust-based cloud storage system which shows how the trust models can be integrated into a system that uses cryptographic RBAC schemes.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122857939","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: