No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A secure and efficient Internet of Things cloud encryption scheme with forensics investigation compatibility based on identity-based encryption
Abstract
Data security is a challenge for end-users of cloud services as the users have no control over their data once it is transmitted to the cloud. A potentially corrupt cloud service provider can obtain the end-users’ data. Conventional PKI-based solutions are insufficient for large-scale cloud systems, considering efficiency, scalability, and security. In large-scale cloud systems, the key management requirements include scalable encryption, authentication, and non-repudiation services, as well as the ability to share files with different users and data recovery when the user keys of encrypted data are not accessible. Further requirements in cloud systems include the ability to provide the means for digital forensic investigations on encrypted data. Once data on the cloud is encrypted with a user’s key it becomes impossible to access by forensic investigation teams. In this regard, distributing the trust of key management into multiple authorities is desirable. In the literature, there is no available secure cloud storage system with secure and efficient Type-3 pairings, supporting Encryption-as-a-Service (EaaS) and multiple Public Key Generators (PKGs). This paper proposes an efficient Identity-based cryptography (IBC) architecture for secure cloud storage, named Secure Cloud Storage System (SCSS), which supports distributed key management and encryption mechanisms and support for multiple PKGs. During forensic investigations, the legal authorities will be able to use the multiple PKG mechanism for data access, while an account locking mechanism prevents a single authority to access user data due to trust distribution. We also demonstrate that, the IBC scheme used in SCSS has better performance compared to similar schemes in the literature. For the security levels of 128-bits and above, SCSS has better scalability compared to existing schemes, with respect to encryption and decryption operations. Since the decryption operation is frequently needed for forensic analysis, the improved scalability results in a streamlined forensic investigation process on the encrypted data in the cloud.
... Unal et al. [38] propose a Safe Cloud Storage System (SCSS) that utilizes Identity-based Cryptography (IBC) and a decentralized key administration and encryption approach. This architecture addresses the limitations of traditional Public Key Infrastructure (PKI) solutions in terms of scalability and speed in protecting and retrieving data in the cloud. ...
... By examining the outcomes, valuable insights can be gained, leading to further investigations and advancements in the field. To assess the success of the proposed SSCA model, a comparative analysis is conducted, comparing its results with existing works such as MHE-IS-CPMT [41], ElGamal-based Authentication Method(EAM) [39], SCSS [38], and Secure hybridized Cloud-Enabled Framework (SHCEF) [34]. Moreover, the suggested architecture is evaluated based on various performance indicators, including response time, scalability, throughput, security, and dependability (reliability). ...
... similarly, Sarker et al. [37], Wu et al. [35], Irshad et al. [39], Uppuluri et al. [41], Sharma et al. [43], Jalasri et al. [45]research methods also gained moderate and very less level of reliability performance. The Unal et al. [38], Ahmad et al. [40], Selvarajan et al. [44] research methods have attained high-reliability performance. However, the other significant metrics failed to improve in secured transmissions like high response and execution time with less prediction rate. ...
Cloud computing has revolutionized organizational operations by providing convenient, on-demand access to resources. The emergence of the Internet of Things (IoT) has introduced a new paradigm for collaborative computing, leveraging sensors and devices that generate and process vast amounts of data, thereby resulting in challenges related to scalability and security, making the significance of conventional security methods even more pronounced. Consequently, in this paper, we propose a novel Scalable and Secure Cloud Architecture (SSCA) that integrates IoT and cryptographic techniques, aiming to develop scalable and trustworthy cloud systems, thus enabling multi-user systems and facilitating simultaneous access to cloud resources by multiple users. The design adopts a decentralized approach, utilizing multiple cloud nodes to handle user requests efficiently and incorporates Multicast and Broadcast Rekeying Algorithm (MBRA) to ensure the privacy and confidentiality of user information, utilizing a hybrid cryptosystem that combines MBRA, Post Quantum Cryptography (PQC) and blockchain technology. Leveraging IoT devices, the architecture gathers data from distributed sensing resources and ensures the security of collected information through robust MBRA-PQC encryption algorithms, while the blockchain ensures that the confidential data is stored in distributed and immutable records. The proposed approach is applied to several datasets and the effectiveness is validated through various performance metrics, including response time, throughput, scalability, security, and reliability. The results highlight the effectiveness of the proposed SSCA, showcasing a notable reduction in response time by 1.67 seconds and 0.97 seconds for 250 and 1000 devices, respectively, in comparison to the MHE-IS-CPMT. Likewise, SSCA demonstrated significant improvements in the AUC values, exhibiting enhancements of 6.30%, 6.90%, 7.60%, and 7.30% at the 25-user level, and impressive gains of 5.20%, 9.30%, 11.50%, and 15.40% at the 50-user level when compared to the MHE-IS-CPMT, EAM, SCSS, and SHCEF models, respectively.
... Unal et al. [104] proposed the SCSS, a secure cloud storage system for cloudbased storage environment without the need for complex certificate management, with secure and efficient Type-3 pairings, supporting Encryption-as-a-Service (EaaS) and multiple Public Key Generators (PKGs), based on SAKKE-IBE scheme. The first fundamental concept of the SCSS-SAKKE-IBE scheme is EaaS, the role of EaaS is to avoid implementing an encryption application on the user's device, encryption can therefore be provided by this service; therefore, it makes it possible to reduce the difficulty of encryption and key management tasks without losing data confidentiality. ...
... Users initiate key exchange processes to establish secure communication channels between them. It is important to note that achieving the criteria for secure key exchange often implies achieving the criteria for secure data transmission, in classical [99,[104][105][106][107] and in quantum [116,[118][119][120][121][122]. However, the reverse is not always applicable, which is due to the availability of alternative cryptographic techniques, such as asymmetric cryptography, or other operations, which can also serve this purpose, in classical [101-103, 108, 109] and in quantum [112,115]. ...
... A significant portion of cryptographic-based approaches is designed to be lightweight and adaptable for IoT devices with constrained resources [98,[100][101][102][103][104][105][106][107]109]. Another significant aspect of these approaches is their ability to fulfill the authentication security factor [98][99][100][104][105][106]. ...
The Internet of Things (IoT) is an important virtual network that allows remote users to access linked multimedia devices. The development of IoT and its ubiquitous application across various domains of everyday life has led to continuous research efforts. Security is a perceptual concern for researchers involved in IoT as it is a key factor in the acceptance of any innovative technology. Numerous research studies have been conducted concentrating on the level of IoT security on a particular mechanism, on specific applications, or on categorizing vulnerabilities, in order to address a defined situation of securing an IoT network. This present paper aims to comprehensively review potential solutions for securing IoT, between emerging and traditional mechanisms, such as blockchain, machine learning, cryptography, and quantum computing. This study provides a comparative analysis of related papers with their characteristics, pros and cons. Accordingly, it taxonomizes relevant solutions based on their achieved security requirements. Furthermore, the potential benefits and challenges of each of the four mechanisms are discussed.
... Безпосереднє управління в таких систем здійснюється обладнаними радіо модемами малопотужними термінальними мікроконтролерами. Разом з тим, в таких системах віддаленого управління важливо забезпечити надійний захист від стороннього втручання [4], що потребує використання всього арсеналу сучасних криптографічних механізмів, в тому числі з відкритим ключем. При цьому важливо забезпечити реалізацію криптографічних алгоритмів з відкритим ключем в реальному часі. ...
... Як зазначалося вище, базовою обчислювальною операцією криптографії з відкритим ключем є модулярне експоненціювання. При цьому рівень захищеності повною мірою визначається розрядністю n чисел, над якими здійснюється ця операція [4]. ...
Об'єктом досліджень є процеси обчислювальної реалізації алгоритмів захисту інформації на основі криптографії з відкритим ключем, базовою операцією яких є модулярне експоненціювання. В статті здійснено огляд існуючих методівобчислення модулярної експоненти для механізмів захисту інформації. Показано, що в сучасних умовах їх суттєвий недолік полягає в низькій швидкодії, зумовленій складністю обчислювальної реалізації експоненціювання над числами великої розрядності. Мета роботи полягає в прискоренні обчислювальної реалізації модулярного множення чисел, довжина яких значно перевищує розрядність процесора – базової операції сучасних криптографічних алгоритмів захисту даних з відкритим ключем. Для досягнення поставленої мети запропоновано метод, в якому прискоренняобчислення модулярного множення досягається за рахунок за рахунок суміщенням множень секцій чисел з симетричними індексами, а також чередування циклів додавання секційних добутків з однаковою вагою і груповою редукцією Монтгомері. Бібл. 11, табл. 1
... The Python execution technique allows infrastructure self-reliance. In [12], an effective Identity-based cryptography (IBC) model was introduced to protect cloud storage, described as a Secure Cloud Storage System (SCSS) that assists encryption techniques and distributed key management as well as aids in numerous PKGs. In a forensic investigation, the lawful authorities may be capable of employing several PKG methods for data availability, whereas an account locking approach avoids a single authority for accessing user information because of reliance distribution. ...
... Evidence and data are protected against malicious consumers by employing the SBVM [12] determined by a cloud authentication server (CAS). The SBVM contains consumers who have finished a positively safe verification procedure by means of a globular logic and secret key (SK). ...
Secure storage model for digital forensics represents essential progress in the domain, addressing the major problems associated with protecting and maintaining digital evidence. This method employs recent encryption systems and optimal key generation methods to ensure the confidentiality and integrity of data throughout the investigative process. Cloud forensics is an intelligent development of digital forensics to be preserved against online hacking. But, centralized evidence gathered and preservation reduces the reliability of digital evidence. The architecture for digital forensics in an Infrastructure as a Service (IaaS) cloud platform is a crucial structure intended to simplify the collection and protection of evidence while preserving the integrity and origin of digital objects within cloud-based methods. This architecture integrates numerous modules and methods to address the exclusive tasks modeled by cloud computing (CC) environments in the framework of forensic investigations. This paper develops a new digital forensic architecture utilizing the Authentication with Optimal Key Generation Encryption (DFA-AOKGE) technique. The main intention of the DFA-AOKGE method is to use a BC-distributed design to allocate data between numerous peers for data collection and safe storage. Additionally, the DFA-AOKGE model uses the Secure Block Verification Mechanism (SBVM) for the authentication procedure. Also, the secret keys can be produced by the usage of the Enhanced Equilibrium Optimizer (EEO) model. Furthermore, the encryption of the data takes place using a multikey homomorphic encryption (MHE) approach and is then saved in the cloud server. The simulation value of the DFA-AOKGE methodology takes place in terms of different aspects. The simulation results exhibited that the DFA-AOKGE system shows prominent performance over other recent approaches in terms of different measures.
... End users of cloud services face a data security challenge since they have no control over their data once it has been sent to the cloud. When data in the cloud is encrypted using a user's key, forensic investigation teams cannot access it [12]. IoT-based Hierarchical Health Monitoring Model is suggested in [13] to obtain an appropriate evaluation of sports person health monitoring wearable while reducing energy usage. ...
... for each chimp: Extract the chimp's group Use its group strategy to update , , and Use , , and to calculate and then end for for each search chimp if ( < 0.5) if (| | < 1) Update the position of the current search agent by using equation (11) else if (| | > 1) Select a random search agent end if else if ( > 0.5) Update the position of the current search by using equation (12) end if end for Update , , and Update , , , ...
Cloud computing is a widely used technology that has changed the way people and organizations store and access information. This technology is versatile, and extensive amounts of data can be stored in the cloud. However, with the development of cloud computing, it is also faced with many difficulties, cloud computing security has become the leading cause of impeding its development. Cloud computing security has become a hot topic in industry and academic research. As a consequence, the security of data stored in the cloud serves as a key concern for cloud consumers due to ongoing hacking incidents in the cloud. This work used encryption with access management because authenticities, anonymity, and security over accessibility are mandatory. Accordingly, the article proposed a machine learning-based method for secure data storage in the cloud. Initially, the data is compressed using the Huffman algorithm, which minimizes text data size and storage, resource use, or transmission power. Accordingly, the compressed data are encrypted using a novel cryptographic technique. This method encrypts the data before uploading it onto the cloud. Subsequently, the malicious intention in the cloud platform is identified by proposing a Weighted Chimp Algorithm optimized Gaussian Kernel Radial Basis Function Neural Network. This malicious code can be spread through infrastructures in the cloud platforms and pose a great threat to users and enterprises. The proposed method accurately detects malicious code in the cloud. The proposed work is implemented using Python software. The proposed method is compared with the other existing methods like Fully Homomorphic Encryption (FHE), Ciphertext Policy-Attribute based Encryption (CP-ABE), and Quasi Modified Levy Flight Distribution Reversed Sheamir Algorithm (QMLFD-RSA). Accordingly, the proposed method outperforms these existing methods. The result revealed that the deduplication rate, throughput, cipher text and encryption time of the proposed method produce higher performance than the existing methods, ie) the deduplication rate for the proposed method is 94% and the outcome of the work proved that the proposed work produces better security than the other existing research respectively. This hybrid technique provides the user to get an advantage from retrieved information in a protected manner.
... End users of cloud services face a data security challenge since they have no control over their data once it has been sent to the cloud. When data in the cloud is encrypted using a user's key, forensic investigation teams cannot access it [12]. IoT-based Hierarchical Health Monitoring Model is suggested in [13] to obtain an appropriate evaluation of sports person health monitoring wearable while reducing energy usage. ...
... for each chimp: Extract the chimp's group Use its group strategy to update , , and Use , , and to calculate and then end for for each search chimp if ( < 0.5) if (| | < 1) Update the position of the current search agent by using equation (11) else if (| | > 1) Select a random search agent end if else if ( > 0.5) Update the position of the current search by using equation (12) end if end for Update , , and Update , , , ...
Cloud computing is a widely used technology that has changed the way people and organizations store and access information. This technology is versatile, and extensive amounts of data can be stored in the cloud. However, with the development of cloud computing, it is also faced with many difficulties, cloud computing security has become the leading cause of impeding its development. Cloud computing security has become a hot topic in industry and academic research. As a consequence, the security of data stored in the cloud serves as a key concern for cloud consumers due to ongoing hacking incidents in the cloud. This work used encryption with access management because authenticities, anonymity, and security over accessibility are mandatory. Accordingly, the article proposed a machine learning-based method for secure data storage in the cloud. Initially, the data is compressed using the Huffman algorithm, which minimizes text data size and storage, resource use, or transmission power. Accordingly, the compressed data are encrypted using a novel cryptographic technique. This method encrypts the data before uploading it onto the cloud. Subsequently, the malicious intention in the cloud platform is identified by proposing a Weighted Chimp Algorithm optimized Gaussian Kernel Radial Basis Function Neural Network. This malicious code can be spread through infrastructures in the cloud platforms and pose a great threat to users and enterprises. The proposed method accurately detects malicious code in the cloud. The proposed work is implemented using Python software. The proposed method is compared with the other existing methods like Fully Homomorphic Encryption (FHE), Ciphertext Policy-Attribute based Encryption (CP-ABE), and Quasi Modified Levy Flight Distribution Reversed Sheamir Algorithm (QMLFD-RSA). Accordingly, the proposed method outperforms these existing methods. The result revealed that the deduplication rate, throughput, cipher text and encryption time of the proposed method produce higher performance than the existing methods, ie) the deduplication rate for the proposed method is 94% and the outcome of the work proved that the proposed work produces better security than the other existing research respectively. This hybrid technique provides the user to get an advantage from retrieved information in a protected manner.
... End users of cloud services face a data security challenge since they have no control over their data once it has been sent to the cloud. When data in the cloud is encrypted using a user's key, forensic investigation teams cannot access it [12]. IoT-based Hierarchical Health Monitoring Model is suggested in [13] to obtain an appropriate evaluation of sports person health monitoring wearable while reducing energy usage. ...
... for each chimp: Extract the chimp's group Use its group strategy to update , , and Use , , and to calculate and then end for for each search chimp if ( < 0.5) if (| | < 1) Update the position of the current search agent by using equation (11) else if (| | > 1) Select a random search agent end if else if ( > 0.5) Update the position of the current search by using equation (12) end if end for Update , , and Update , , , ...
Cloud computing is a widely used technology that has changed the way people and organizations store and access information. This technology is versatile, and extensive amounts of data can be stored in the cloud. However, with the development of cloud computing, it is also faced with many difficulties, cloud computing security has become the leading cause of impeding its development. Cloud computing security has become a hot topic in industry and academic research. As a consequence, the security of data stored in the cloud serves
as a key concern for cloud consumers due to ongoing hacking incidents in the cloud. This work used encryption with access management because authenticities, anonymity, and security over accessibility are mandatory. Accordingly, the article proposed a machine learning-based method for secure data storage in the
cloud. Initially, the data is compressed using the Huffman algorithm, which minimizes text data size and storage, resource use, or transmission power. Accordingly, the compressed data are encrypted using a novel
cryptographic technique. This method encrypts the data before uploading it onto the cloud. Subsequently, the malicious intention in the cloud platform is identified by proposing a Weighted Chimp Algorithm optimized Gaussian Kernel Radial Basis Function Neural Network. This malicious code can be spread through infrastructures in the cloud platforms and pose a great threat to users and enterprises. The proposed method accurately detects malicious code in the cloud. The proposed work is implemented using Python software. The proposed method is compared with the other existing methods like Fully Homomorphic Encryption (FHE), Ciphertext Policy-Attribute based Encryption (CP-ABE), and Quasi Modified Levy Flight Distribution Reversed Sheamir Algorithm (QMLFD-RSA). Accordingly, the proposed method outperforms these existing methods. The result revealed that the deduplication rate, throughput, cipher text and encryption time of the proposed method produce higher performance than the existing methods, ie) the deduplication rate for the proposed method is 94% and the outcome of the work proved that the proposed work produces better security than the other existing research respectively. This hybrid technique provides the user to get an
advantage from retrieved information in a protected manner
... Specifically, cloud storage service provides enterprises and individuals with data storage services with a multitude of storage devices through the lowcost and extensible platform service. There are a vast array of applications on cloud storage [9], [10], [11] that have emerged for IoT. For utilizing the data of IoT devices stored in the cloud, data sharing is the most fundamental functionality for such applications, by which users' data can be shared through cloud storage service. ...
... if a device u j in the ring is revoked asŶ ′ ̸ =Ŷ then 10 Compute R ′ 1 = g r and R ′ 2 = R 2 h r ; 11 Compute L ′ = H(List ′ ), ...
Blockchain has been a promising infrastructure for enabling secure data sharing for the Internet of Things (IoT). With the widespread of IoT applications, security issues such as data privacy, anonymity, and accountability become critical concerns for the users, which are essential principles for secure communication in those applications. However, the existing blockchain-based data sharing schemes mainly consider data privacy. Only a few works can support anonymity with strong, trusted assumptions. Thus, there is a research gap on the anonymity of blockchain-based data sharing for IoT, which does not rely on any trusted party. In this paper, we propose a blockchain-based anonymous data sharing scheme (BA-DS) by adopting a novel public key encryption derived from a ring signature. In BA-DS, we remove the trusted party and ensure anonymity by using an unconditional linkable ring signature and signature of knowledge (SoK). During the revocation, we apply blockchain infrastructure to record the valid revocation list and generate a tag for data stored on the cloud, providing solid accountability. The formal security analysis shows that BA-DS is selective indistinguishable secure in the random oracle model. Additionally, we also prove that BA-DS holds anonymity, data privacy, accountability, and authenticity. The extensive experiments indicate that our proposed BA-DS achieves reasonable efficiency in terms of computational complexity, communication overhead, and consumption on the blockchain.
... Sarker et al. [48] proposed IntruDTRee, a machine-learning model for detecting security breaches in IoT networks, offering improved accuracy and reduced computational complexity. Unal et al. [49] presented a Safe Cloud Storage System (SCSS) utilizing Identity-based Cryptography (IBC) for enhanced scalability and security in cloud storage. Irshad and Chaudhry [50] introduced SAS-Cloud, an ElGamal-based Authentication Method (EAM) for secure authentication in cloud-hosted IoT systems, combining passcode and biometric data for improved security. ...
Smart cities, fueled by the Internet of Things (IoT), promise urban efficiency and convenience. However, it has also exposed vulnerabilities in the security and privacy of sensitive data transmitted and stored within these interconnected networks. The increasing frequency of cyberattacks and data breaches underscores the pressing need for innovative solutions to enhance the security of smart city IoT systems. This paper introduces a novel approach to bolstering IoT security in smart cities by adapting quantum cryptography principles. Leveraging quantum steganography, we conceal sensitive data within quantum streams. The proposed model provides a comprehensive solution that ensures the confidentiality, integrity, and authenticity of data within smart city IoT ecosystems. By combining quantum steganography, reversible decoding, customized encryption, privacy amplification, and cryptographic verification, this protocol fosters trust among stakeholders and supports the secure evolution of urban environments. This research offers a blueprint for securing IoT in smart cities, fostering trust, and enabling the safe evolution of urban environments.
... The challenging issues of centralized cloud storage systems are: (1) Authentication of CSP, and users are necessary for secure use of the cloud storage system [4]. ...
The widespread use of cloud storage enables users to access their resources remotely via a self-service model. Utilizing pay-per-use storage services provided by cloud service providers (CSPs) requires users to commit financially to their resources. This paper introduces an SCS framework that provides a secure architecture for cloud storage using a consortium blockchain network to solve the trust issue. This framework substitutes the third-party auditor with peers of a consortium blockchain network, which handles the role of data storage and verification. The storage space is segmented between uncommitted and committed storage, where uncommitted storage is designated for storing unverified documents. In contrast, committed storage is designated for the storage of committed documents. Those data documents that have undergone consensus validation by a specified threshold of peer nodes will be transferred to committed storage. The implementation of the SCS framework is carried out on Hyperledger Fabric. The security analysis proves that SCS effectively safeguards cloud storage against devastating attacks while preserving its integrity and auditability. The performance analysis reveals that the metrics for document upload time, document retrieval time, block acceptance time, execution time, and latency are optimal compared to state-of-the-art techniques.
... : [10] proposed SCSS-SAKKE-IBE, which employs Type-3 pairings and a fast pairing-based IBE scheme following the scheme in [32]. Additionally, by utilizing the [33] method, SCSS supports multiple distributed PKGs. ...
The Internet of Things (IoT) is rapidly becoming a common technology that will improve people's lives by seamlessly integrating into many facets of modern life and facilitating information sharing across platforms. Device Authentication is a significant challenge for IoT devices as they are placed in unprotected environments, vulnerable to physical attacks and common security risks. Large computational requirements and communication costs during Authentication make the existing methods, like Public Key Cryptography and Identity-based Encryption, unsuitable for resource-constrained IoT devices. Physical Unclonable Function (PUF) offers a lightweight security mechanism instead of traditional sophisticated cryptosystems by providing an unclonable and tamper-sensitive unique signature. Therefore, we use lightweight operations like bitwise XOR, hash function, and PUF, suitable for resource-constrained IoT devices to authenticate IoT devices. Despite several studies employing the PUF, to the authors' knowledge, existing solutions require an intermediary verifier/gateway and/or active internet by the IoT device to directly interact with a Server to authenticate itself and, hence, are not scalable when the IoT device works technologies like Bluetooth Low Energy, Zigbee, etc. To address the aforementioned issue, we present a system in which the IoT device does not require an active internet connection to communicate with the server. The results of a thorough security study are validated against adversarial attacks and PUF-modelling attacks. For formal security validation, the AVISPA verification tool is also used. Performance study recommends this protocol's lightweight characteristics. The proposed protocol's acceptability and defenses against various adversarial assaults are supported by a prototype developed with ESP32.
... Identity-based encryption is a public key encryption in which a user/sender can generate a public key from a known unique identifier such as the email address of the receiver, and a trusted third-party server calculates a corresponding private key from the public key. [68] proposed an IBE-based secure cloud storage system that is compatible with cloud forensics and supports digital forensics investigations, by using multiple public-key generators (PKG) to generate the (encryption) keys. The system permits legal authority or an investigator to act as a party in the key generation in collaboration with another trusted key generation authority which acts as the other PKG. ...
The acquisition and analysis of data in digital forensics raise different data privacy challenges. Many existing works on digital forensic readiness discuss what information should be stored and how to collect relevant data to facilitate investigations. However, the cost of this readiness often directly impacts the privacy of innocent third parties and suspects if the collected information is irrelevant. Approaches that have been suggested for privacy-preserving digital forensics focus on the use of policy, non-cryptography-based, and cryptography-based solutions. Cryptographic techniques have been proposed to address issues of data privacy during data analysis. As the utilization of some of these cryptographic techniques continues to increase, it is important to evaluate their applicability and challenges in relation to digital forensics processes. This study provides digital forensics investigators and researchers with a roadmap to understanding the data privacy challenges in digital forensics and examines the various privacy techniques that can be utilized to tackle these challenges. Specifically, we review the cryptographic techniques applied for privacy protection in digital forensics and categorize them within the context of whether they support trusted third parties, multiple investigators, and multi-keyword searches. We highlight some of the drawbacks of utilizing cryptography-based methods in privacy-preserving digital forensics and suggest potential solutions to the identified shortcomings. In addition, we propose a conceptual privacy-preserving digital forensics (PPDF) model that is based on the use of cryptographic techniques and analyze the model within the context of the above-mentioned factors. An evaluation of the model is provided through a consideration of identified factors that may affect an investigation. Lastly, we provide an analysis of how existing principles for preserving privacy in digital forensics are addressed in our PPDF model. Our evaluation shows that the model aligns with many of the existing privacy principles recommended for privacy protection in digital forensics.
... Several researchers reviewed the techniques and challenges of digital forensics in cloud [64,65] and IoT [66] environments. Some improvements to traceability, integrity, and/or privacy in digital forensics were proposed based on technologies such as blockchain [30,67,68] and IBE [69]. Moreover, some researchers focused on the interpretability of evidence. ...
Federated Identity Management (FIM) has gained significant adoption as a means to simplify user authentication and service authorization across diverse domains. It serves as a centralized authentication and authorization method, enabling users to access various applications or resources using credentials issued by a universally trusted identity provider (IdP). However, recent security incidents indicate that the reliability of credentials issued by IdP is not absolute in practice. If the IdP fails, it can persistently access any application that trusts it as any user. This poses a significant security threat to the entire system. Furthermore, with the increasing adoption of FIM across diverse scenarios, there is a growing demand for the development of an identity management system that can effectively support digital forensics investigations into malicious user behavior. In this work, we introduce transparency to federated identity management, proposing T-FIM to supervise unconditional trust. T-FIM employs privacy-preserving logs to record all IdP-issued tokens, ensuring that only the true owner can access the exact token. We utilize identity-based encryption (IBE), but not just as a black box, encrypting tokens before they are publicly recorded. In addition, we propose a decentralized private key generator (DPKG) to provide IBE private keys for users, avoiding the introduction of a new centralized trust node. T-FIM also presents a novel approach to digital forensics that enables forensic investigators to collect evidence in a privacy-preserving manner with the cooperation of the DPKG. We conduct a comprehensive analysis of the correctness, security, and privacy aspects of T-FIM. To demonstrate the practical feasibility of T-FIM, we evaluated the additional overhead through experimental evaluations. Additionally, we compared its performance with other similar schemes to provide a comprehensive understanding of its capabilities and advantages.
... Conventional encryption techniques (e.g. [10,42,47]) use complex mathematical manipulations and substitution and shifting operations to confuse the ciphertext. However, some concerns regarding their capacity to resist modern hacking techniques have been raised [60]. ...
Although many encryption techniques purport to provide adequate information protection, it is unclear how the struggle between these encryption techniques and constantly evolving hacking tools will play out. Cryptanalysis techniques are becoming more sophisticated and may soon challenge current encryption techniques. This paper proposes a new encryption technique that employs three effective and confusion-inducing methods. Specifically, the technique utilizes (1) an innovative key expansion technique that generates highly complex key sequences using chaotic means, (2) chaotic substitution that significantly transforms input symbols into different ones, and (3) a diffusion technique that induces a high avalanche effect in the output. The proposed technique was simulated on both plaintext and images and evaluated using standard NIST and ENT randomness testing as well as other effective testing techniques such as avalanche effect, pixel correlation, and entropy. The simulation results showed that the proposed encryption technique is secure and efficient for plaintext and image data.
... A função hash cria um hash SHA256 da string de entrada, a função sign gera uma assinatura da mensagem utilizando a chave privada fornecida. A Listagem de Código 1 mostra o algoritmo da função generateToken, que se receber umíndice (index) igual a zero, gera o token inicial e o próximo utilizando o hash SHA256 [Dang 2015] dos dados sensíveis do usuário (id, password, index, privateKey) e o algoritmo de assinatura RSA-SHA256 [Unal et al. 2021] para gerar a mensagem assinada com a chave privada e os dados públicos do usuário (id, publicKey, nextToken). Os próximos tokens são equivalentes ao hash SHA256 do token anterior, incrementado um aoíndice (index + 1) e a mensagem assinada deve conter, além dos dados públicos do usuário, o id do Aplicativo (appId), o id do Auth Service (serviceId) e os dados da transação solicitada. ...
A utilização de aplicativos externos as organizações, ou seja, não confiáveis, tornou-se uma prática comum com o avanço da internet. No entanto, permitir o registro de dados através de terceiros não confiáveis e garantir o não repúdio, pode ser uma tarefa difícil. Para superar esses desafios, propomos uma solução por meio do desenvolvimento de uma arquitetura que garante a autenticação e o não repúdio dos registros em blockchain, mesmo quando inseridos por outras identidades. A arquitetura é composta por um serviço responsável pela comunicação entre terceiros e a blockchain (Auth Service), métodos para geração de tokens únicos de transações e protocolos para autenticação em contrato inteligente. A arquitetura proposta fornece um processo seguro e eficiente para o envio de transações por meio de aplicativos não confiáveis, reduzindo a dependência da Autoridade Certificadora (CA) da rede e garantindo o não repúdio dos dados. Com a nossa solução, os usuários podem acessar diversos serviços da rede com confiança.
... IBE is indeed a public key technology in which a private key generator produces a master key pair as well as a master private key, with the master public key being generated using the customer's specific data [32]. By obtaining the private key associated with their identification from the private key generator, the user accesses the file. ...
Cloud computing (CC) is among the most rapidly evolving computer technologies. That is the required accessibility of network assets, mainly information storage with processing authority without the requirement for particular and direct user administration. CC is a collection of public and private data centers that provide a single platform for clients throughout the Internet. The growing volume of personal and sensitive information acquired through supervisory authorities demands the usage of the cloud not just for information storage and for data processing at cloud assets. Nevertheless, due to safety issues raised by recent data leaks, it is recommended that unprotected sensitive data not be sent to public clouds. This document provides a detailed appraisal of the research regarding data protection and privacy problems, data encrypting, and data obfuscation, including remedies for cloud data storage. The most up-to-date technologies and approaches for cloud data security are examined. This research also examines several current strategies for addressing cloud security concerns. The performance of each approach is then compared based on its characteristics, benefits, and shortcomings. Finally, go at a few active cloud storage data security study fields.
... Iorga [39] discussed the scalability of such scalable resources using the distributed logic between the user and the gateway nodes. Al-Ali [40] proposed that the handshake mechanism can be treated as a light-weight mode of interaction among the low computation devices in IoT networks. AK Das [41] provided a different 3-factor based mutual authentication mechanism among resource constrained devices. ...
Over the past decade, IoT has gained huge momentum in terms of technological exploration, integration and its various applications even after having a resource-bound architecture. It is challenging to run any high-end security protocol(s) on Edge devices. These devices are highly vulnerable towards numerous cyber-attacks. IoT network nodes need peer-to-peer security which is possible if there exists proper mutual authentication among network devices. A secure session key needs to be established among source and destination nodes before sending the sensitive data. To generate these session keys, a strong cryptosystem is required to share parameters securely over a wireless network. In this article, we utilize a Rubik's cube puzzle based cryptosystem to exchange parameters among peers and generate session key(s). Blockchain technology is incorporated in the proposed model to provide anonymity of token transactions, on the basis of which the network devices exchange services. A session key pool randomizer is used to avoid network probabilistic attacks. Our hybrid model is capable of generating secure session keys that can be used for mutual authentication and reliable data transferring tasks. Cyber-attacks resistance and performance results were verified using standard tools, which gave industry level promising results in terms of efficiency, light-weightedness and practical applications.
... IBE is indeed a public key technology in which a private key generator produces a master key pair as well as a master private key, with the master public key being generated using the customer's specific data [32]. By obtaining the private key associated with their identification from the private key generator, the user accesses the file. ...
Cloud computing (CC) is among the most rapidly evolving computer technologies. That is the required accessibility of network assets, mainly information storage with processing authority without the requirement for particular and direct user administration. CC is a collection of public and private data centers that provide a single platform for clients throughout the Internet. The growing volume of personal and sensitive information acquired through supervisory authorities demands the usage of the cloud not just for information storage and for data processing at cloud assets. Nevertheless, due to safety issues raised by recent data leaks, it is recommended that unprotected sensitive data not be sent to public clouds. This document provides a detailed appraisal of the research regarding data protection and privacy problems, data encrypting, and data obfuscation, including remedies for cloud data storage. The most up-to-date technologies and approaches for cloud data security are examined. This research also examines several current strategies for addressing cloud security concerns. The performance of each approach is then compared based on its characteristics, benefits, and shortcomings. Finally, go at a few active cloud storage data security study fields.
The widespread adoption of Internet of Things (IoT) technology has introduced new cybersecurity challenges. Encryption services are being offloaded to cloud and fog platforms to mitigate these risks. Encryption as a Service (EaaS) emerges as a remedy, offering cryptographic solutions tailored to the resource constraints of IoT devices. This study thoroughly examines existing EaaS platforms, categorizing them based on encryption algorithms and service offerings. Additionally, we outline various EaaS architecture types depending on the placement of key components. Practical implementations of these platforms are explored through different testbeds. A key focus lies in dissecting the challenges that EaaS faces, particularly in the context of IoT, while suggesting potential remedies. This work stands out as an all-encompassing exploration, bridging the gap left by previous surveys.
The increasing usage of the Internet for sharing the digital Holy Quran reinforces the requirement for its protection from security breaches. Watermarking is the most widely used tool to preserve integrity and authenticity during data transmission. Previously proposed Quranic text watermarking techniques have limitations in terms of providing high capacity, imperceptibility and security simultaneously. This paper proposed an invisible watermarking technique, i.e., UniHaCh that employs Unicode UTF-8 values of the top six most frequently occurring characters in the Quranic verses integrated with the character counting mechanism, resulting in a high-capacity watermark key. The SHA3 hash function is used to obtain a fixed 256-bit watermark key that is embedded in the text at random locations using a secret key of 256 bits. The insertion of the watermark key is made imperceptible by utilizing zero-width spaces, preserving the original appearance of the text. Experimental results proved that the proposed approach is robust against modification, insertion and deletion attacks. UniHaCh was found efficient in providing authenticity and integrity simultaneously.
Under the usage of new technologies, Internet of Things (IoT) develops rapidly and provides a great convenience for our lives. It is critical for ensuring security to IoT systems as the tremendous growth of IoT applications. Although many cryptography tools (such as identity-based encryption) have been given to provide appropriate security in IoT covering various application fields such as smart home, how to guarantee data confidentiality, provide reasonable data source identification, and resist quantum attacks simultaneously has been a challenging problem. To address this problem, we propose a matchmaking encryption scheme named lattice-based matchmaking identity-based encryption (LMIBE) which can provide bilateral access control for both sender and receiver in IoT systems, and resist quantum attacks. Moreover, we give a formal definition and a security definition for our scheme. Security proof shows that our scheme is secure under the proposed security definition. Finally, by comparing the performance of our scheme with existing works, our proposed scheme has a broad application prospect in IoT environment.
Cryptographic algorithms enable secure data communication over public insecure networks. Though they enhance network security, complex cryptographic operations consume substantial amounts of computing resources, introducing significant network overhead costs. This study aims to find the cryptographic algorithm that can efficiently utilize network resources. The study evaluates three cryptographic algorithms with different file formats on varying numbers of node densities. The NS-3 simulator was used to measure latency, data throughput, end-to-end delay, packet delivery ratio, and packet loss of files in text, image, and audio formats. The results find AES as better than DES and 3DES for a large number of node densities for the three file formats in terms of latency, data throughput, end-to-end delay, and packet delivery ratio. However, DES has the lowest packet loss as AES records the highest packet loss. The findings provide researchers avenues for further research and the practitioners the choice of suitable algorithms based on the overhead performance.
Multi Authority Ciphertext-Policy Attribute-Based Encryption (MCP-ABE) can be developed aimed at enabling efficient secure operation in this research. The proposed methodology is developed to achieve two main characteristics such as to avoid multiuser illegal share their private key and provide data owner to access the data and flexibility to change their access policy. The proposed methodology is providing high security of multi authority with different traceable and dynamic policy updating procedure. The proposed method is implemented in Java and analyzed with performance metrices such as key size, computation time and functionality. Compared to traditional cryptographic methods, attribute-based encryption has a number of benefits, including its adaptable and fine-grained control of access. Additionally, it is independent of key sharing and management methods that may protect against security attacks, a method of undermining encryption. The proposed methodology is protecting the users with different conditions such as data protection, fraud prevention, message detection and general attack resistance. To validate the performance of the proposed methodology, it can be contrasted with the conventional methods such as Ciphertext-Policy Attribute-Based Signcryption with Outsourced Designcryption (CP-OABSC) and revocable signature (CP-ABSC) with Ciphertext-Policy Attribute-Based Signcryption With Accountable and Verifiable Outsourced Designcryption (CP-ABSc-AVODs) respectively.
Message authentication has been a research hotspot in current vehicular ad hoc networks (VANETs). Many researchers adopt group signatures based on number-theoretic assumptions to authenticate the vehicular users’ identities. Nevertheless, the classical group signature is vulnerable to quantum computing attacks and without considering the negative consequences of secret key disclosure. In this paper, to address these problems, we propose a novel group signature protocol for authentication in VANETs, which is based on lattice cryptography to achieve quantum-resistance and Bonsai-tree signature architecture to achieve forward security. Our scheme is proven secure in terms of traceability, anonymity, and forward-security under the Short Integer Solution (SIS) and Learning With Errors (LWE) hardness. Through comprehensive performance evaluation, we demonstrate that the storage overhead of our scheme is relatively diminutive and the computation cost of the sign and verify algorithms are efficient and practical compared with other existing schemes.
Purpose
This study aims to bring awareness to the developing of fault detection systems using the data collected from sensor devices/physical devices of various systems for predictive maintenance. Opportunities and challenges in developing anomaly detection algorithms for predictive maintenance and unexplored areas in this context are also discussed.
Design/methodology/approach
For conducting a systematic review on the state-of-the-art algorithms in fault detection for predictive maintenance, review papers from the years 2017–2021 available in the Scopus database were selected. A total of 93 papers were chosen. They are classified under electrical and electronics, civil and constructions, automobile, production and mechanical. In addition to this, the paper provides a detailed discussion of various fault-detection algorithms that can be categorised under supervised, semi-supervised, unsupervised learning and traditional statistical method along with an analysis of various forms of anomalies prevalent across different sectors of industry.
Findings
Based on the literature reviewed, seven propositions with a focus on the following areas are presented: need for a uniform framework while scaling the number of sensors; the need for identification of erroneous parameters; why there is a need for new algorithms based on unsupervised and semi-supervised learning; the importance of ensemble learning and data fusion algorithms; the necessity of automatic fault diagnostic systems; concerns about multiple fault detection; and cost-effective fault detection. These propositions shed light on the unsolved issues of predictive maintenance using fault detection algorithms. A novel architecture based on the methodologies and propositions gives more clarity for the reader to further explore in this area.
Originality/value
Papers for this study were selected from the Scopus database for predictive maintenance in the field of fault detection. Review papers published in this area deal only with methods used to detect anomalies, whereas this paper attempts to establish a link between different industrial domains and the methods used in each industry that uses fault detection for predictive maintenance.
The electronic medical cloud system has shown its potential to improve the quality of medical care and personal life. At present, there are mainly two forms of access control to electronic medical cloud systems: role-based access control (RBAC) and attribute-based access control (ABAC). But RBAC cannot achieve fine-grained access control, and ABAC cannot achieve the role of RBAC to manage resource functions. This paper proposes a patient-centric access control model that combines RBAC and ABAC in response to this problem. We use the Linear Secret Sharing Scheme (LSSS) access control structure to implement attribute-based access control, and the Casbin access control framework to implement role-based access control. The patient first uses the ciphertext strategy attribute-based encryption algorithm (CP-ABE) on the client to encrypt the electronic health record (EHR), then the patient stores the encrypted EHR data in the cloud. When a data user wants to access patient EHR data, the cloud will determine whether the user role or user attribute meets the access request. After the request is passed, the user can obtain the ciphertext and the plaintext after two decryption steps. Finally, we conduct an extensive safety analysis and performance evaluation, which confirmed the effectiveness and efficiency of our program.KeywordsAttribute-based access controlRole-based access controlCP-ABECloud computing
A new industrial revolution is emerging with the Internet of Things (IoT) growing use in enabling the machine to machine communication between the devices, sensors, actuators, and gateways. IoT lets the communication across devices and the network happen in real-time and helps make technologically smart homes, smart hospitals, and smart industrial applications. The authentication schemes in IoT have to be robust and lightweight to be useful for resource-constrained real-time applications where user privacy and physical security are the priority concerns. The IoT devices are prone to physical attacks due to their installation in hostile environments. The intruders want to physically capture the IoT nodes for cloning and accessing the stored confidential information, thus necessitating IoT nodes’ physical protection. This article proposes a less expensive and physically secured user authentication and secure key exchange protocol for industry 4.0 applications. Physically unclonable functions (PUF), hash, and XOR operations are used in the proposed method to attain robustness and efficiency. The scheme’s other benefits include low computational cost, retaining the device’s confidentiality, safety from major security threats, low communication, and storage overhead.
Data redundancy is a significant issue that wastes plenty of storage space in the cloud-fog storage integrated environments. Most of the current techniques, which mainly center around the static scenes, for example, the backup and archive systems, are not appropriate because of the dynamic nature of data in the cloud or integrated cloud environments. This problem can be effectively reduced and successfully managed by data deduplication techniques, eliminating duplicate data in cloud storage systems. Implementation of data deduplication (DD) over encrypted data is always a significant challenge in an integrated cloud-fog storage and computing environment to optimize the storage efficiently in a highly secured manner. This paper develops a new method using Convergent and Modified Elliptic Curve Cryptography (MECC) algorithms over the cloud and fog environment to construct secure deduplication systems. The proposed method focuses on the two most important goals of such systems. On one side, the redundancy of data needs to be reduced to its minimum, and on the other hand, a robust encryption approach must be developed to ensure the security of the data. The proposed technique is well suited for operations such as uploading new files by a user to the fog or cloud storage. The file is first encrypted using the Convergent Encryption (CE) technique and then re-encrypted using the Modified Elliptic Curve Cryptography (MECC) algorithm. The proposed method can recognize data redundancy at the block level, reducing the redundancy of data more effectively. Testing results show that the proposed approach can outperform a few state-of-the-art methods of computational efficiency and security levels.
The ever-growing number of Internet connected devices poses several cybersecurity risks. Most of the exchanged data between the Internet of Things (IoT) devices are not adequately secured due to resource constraints on IoT devices. Attribute Based SignCryption (ABSC) is a powerful cryptographic mechanism suitable for distributed environments, providing flexible access control and data secrecy. However, it imposes high designcryption costs, and does not support access policy update (user addition/revocation). This paper presents PROUD, an ABSC solution, to securely \textit{outsource} data designcryption process to edge servers in order to reduce the computation overhead on the user side. PROUD allows end-users to offload most of the designcryption overhead to an edge server and verify the correctness of the received partially designcrypted data from the edge server. Moreover, PROUD provides the access policy update feature with neither involving a proxy-server, nor re-signcrypting the signcrypted message and re-distributing the users' secret keys. The access policy update feature in PROUD does not affect the size of the message received by the end-user which reduces the bandwidth and the storage usage. Our comprehensive theoretical and experimental analysis prove that PROUD outperforms existing schemes in terms of functionality, communication and computation overhead.
Recent technological advances such as the Internet of Things (IoT), fog computing, cloud applications lead to exponential growth in the amount of generated data. Indeed, cloud storage services have experienced unprecedented usage demand. The loss of user control over their cloud store data introduced several security and privacy concerns. To address these concerns, cryptographic techniques are widely adopted at the user side. Attribute based cryptography is commonly used to provide encrypted and/or authenticated access to outsourced data in remote servers. However, the use of these cryptographic mechanisms often increase the storage and computation costs; consequently, the energy consumption in the entire cloud ecosystem. In this paper, we provide a comparative analysis of different attribute based cryptographic mechanisms suitable for cloud data sharing services. we also provide a detailed discussion of different reviewed schemes, w.r.t. supported features, namely security, privacy and functional requirements. In addition, we explore the limitations of existing attribute based cryptographic mechanisms and propose future research directions to better fit the growing needs of this cloud environment in terms of energy savings, processing and storage efficiency and availability requirements.
Digital certificate validation associated with traditional public key cryptosystems make it impractical in real-world environments due to their storage cost. The identity-based cryptosystems have been proven advantageous as they do not require any digital certificate validation and hence their storage. Due to the key escrow, user slandering and secure key issuing problems, IBE adoption is limited to the small networks only. The existing solutions either lose the identity-based feature or require high computation cost. In this paper, we propose a mechanism to generate the user’s private key in which we mitigate the trust on single PKG by replacing it with single semi-trusted key generation center (KGC), which authenticates the user and provide the partial private key and multiple cloud privacy centers (CPCs), which protect the user’s private key with their secret keys. In order to reduce the computation cost to generate the user’s private key, the maximum computations are offloaded to the CPCs, and only constant (very less) number of operations are run on the KGC. We use the ECC-based blind technique to secure the communication over a public channel. Using the proposed escrow-free private key generation mechanism, we design an identity based encryption scheme, which is semantically secured against IND-ID-CCA attack assuming BDH problem.
In public cloud storage systems, the confidentiality of sensitive data remains the most important issue. Cryptography is a promising approach for addressing this issue. In this paper, we introduce the CS-IBE design based upon ID-based encryption, that aims to strengthen the sensitive data confidentiality in public cloud storage. The CS-IBE design associates files with at least one file access policies, namely the user identity (ID) that will be used as the encryption key. Files are encrypted with the user identity key before outsourcing them to cloud storage side which will add a security layer to the outsourced data. Furthermore, CS-IBE works as an overlay system atop cloud storage solutions. In order to evaluate its security and efficiency, a CS-IBE’s prototype design is implemented and analyzed. The obtained results give insights into the provided confidentiality regarding the trade-off performance while simplifying the processes of keys management. The statistical study showed that the overhead cost-time of the proposed design is insignificant especially for large file sizes.
Digital forensics is a vital part of almost every criminal investigation given the amount of information available and the opportunities offered by electronic data to investigate and evidence a crime. However, in criminal justice proceedings, these electronic pieces of evidence are often considered with the utmost suspicion and uncertainty, although, on occasions are justifiable. Presently, the use of scientifically unproven forensic techniques are highly criticized in legal proceedings. Nevertheless, the exceedingly distinct and dynamic characteristics of electronic data, in addition to the current legislation and privacy laws remain as challenging aspects for systematically attesting evidence in a court of law. This article presents a comprehensive study to examine the issues that are considered essential to discuss and resolve, for the proper acceptance of evidence based on scientific grounds. Moreover, the article explains the state of forensics in emerging sub-fields of digital technology such as, cloud computing, social media, and the Internet of Things (IoT), and reviewing the challenges which may complicate the process of systematic validation of electronic evidence. The study further explores various solutions previously proposed, by researchers and academics, regarding their appropriateness based on their experimental evaluation. Additionally, this article suggests open research areas, highlighting many of the issues and problems associated with the empirical evaluation of these solutions for immediate attention by researchers and practitioners. Notably, academics must react to these challenges with appropriate emphasis on methodical verification. Therefore, for this purpose, the issues in the experiential validation of practices currently available are reviewed in this study. The review also discusses the struggle involved in demonstrating the reliability and validity of these approaches with contemporary evaluation methods. Furthermore, the development of best practices, reliable tools and the formulation of formal testing methods for digital forensic techniques are highlighted which could be extremely useful and of immense value to improve the trustworthiness of electronic evidence in legal proceedings.
Nowadays, telemedicine is an emerging healthcare service where the healthcare professionals can diagnose, evaluate, and treat a patient using telecommunication technology. To diagnose and evaluate a patient, the healthcare professionals need to access the electronic medical record (EMR) of the patient, which might contain huge multimedia big data including x-rays, ultrasounds, CT scans, MRI reports, etc. For efficient access and supporting mobility for both the healthcare professionals as well as the patients, the EMR needs to be kept in big data storage in the healthcare cloud. In spite of the popularity of the healthcare cloud, it faces different security issues; for instance, data theft attacks are considered to be one of the most serious security breaches of healthcare data in the cloud. In this paper, the main focus has been given to secure healthcare private data in the cloud using a fog computing facility. To this end, a tri-party oneround authenticated key agreement protocol has been proposed based on the bilinear pairing cryptography that can generate a session key among the participants and communicate among them securely. Finally, the private healthcare data are accessed and stored securely by implementing a decoy technique.
Digital forensics is used to help investigate cybercrime. Because of its characteristics and rapid adoption, the cloud requires its own form of forensics, which must be reliable. The authors have developed the Open Cloud Forensics (OCF) model and FECloud architecture, which would enable effective cloud forensics.
Whereas once data storage was confined to a computer’s hardware, now the sky is quite literally the limit. Cloud storage is flexible, simple, and cost-effective; however, it also introduces significant data security risks. One such risk is the unscrupulous misuse of data stored in the cloud so as to perpetrate acts of cyberbullying. Cloud storage uniquely amplifies the risk of harm to cyberbullying victims given its propensity to reduce a user’s control over data. More stringent regulation is required before users can confidently send data to the cloud.
Recent technological advances have given rise to the popularity and success of cloud. This new paradigm is gaining an expanding interest, since it provides cost efficient architectures that support the transmission, storage, and intensive computing of data. However, these promising storage services bring many challenging design issues, considerably due to the loss of data control. These challenges, namely data confidentiality and data integrity, have significant influence on the security and performances of the cloud system. This thesis aims at overcoming this trade-off, while considering two data security concerns. On one hand, we focus on data confidentiality preservation which becomes more complex with flexible data sharing among a dynamic group of users. It requires the secrecy of outsourced data and an efficient sharing of decrypting keys between different authorized users. For this purpose, we, first, proposed a new method relying on the use of ID-Based Cryptography (IBC), where each client acts as a Private Key Generator (PKG). That is, he generates his own public elements and derives his corresponding private key using a secret. Thanks to IBC properties, this contribution is shown to support data privacy and confidentiality, and to be resistant to unauthorized access to data during the sharing process, while considering two realistic threat models, namely an honest but curious server and a malicious user adversary. Second, we define CloudaSec, a public key based solution, which proposes the separation of subscription-based key management and confidentiality-oriented asymmetric encryption policies. That is, CloudaSec enables flexible and scalable deployment of the solution as well as strong security guarantees for outsourced data in cloud servers. Experimental results, under OpenStack Swift, have proven the efficiency of CloudaSec in scalable data sharing, while considering the impact of the cryptographic operations at the client side. On the other hand, we address the Proof of Data Possession (PDP) concern. In fact, the cloud customer should have an efficient way to perform periodical remote integrity verifications, without keeping the data locally, following three substantial aspects : security level, public verifiability, and performance. This concern is magnified by the client’s constrained storage and computation capabilities and the large size of outsourced data. In order to fulfill this security requirement, we first define a new zero-knowledge PDP proto- col that provides deterministic integrity verification guarantees, relying on the uniqueness of the Euclidean Division. These guarantees are considered as interesting, compared to several proposed schemes, presenting probabilistic approaches. Then, we propose SHoPS, a Set-Homomorphic Proof of Data Possession scheme, supporting the 3 levels of data verification. SHoPS enables the cloud client not only to obtain a proof of possession from the remote server, but also to verify that a given data file is distributed across multiple storage devices to achieve a certain desired level of fault tolerance. Indeed, we present the set homomorphism property, which extends malleability to set operations properties, such as union, intersection and inclusion. SHoPS presents high security level and low processing complexity. For instance, SHoPS saves energy within the cloud provider by distributing the computation over multiple nodes. Each node provides proofs of local data block sets. This is to make applicable, a resulting proof over sets of data blocks, satisfying several needs, such as, proofs aggregation
Personal health record (PHR) is an emerging patient-centric model of health information exchange, which is often outsourced to be stored at a third party, such as cloud providers. However, there have been wide privacy concerns as personal health information could be exposed to those third party servers and to unauthorized parties. To assure the patients' control over access to their own PHRs, it is a promising method to encrypt the PHRs before outsourcing. Yet, issues such as risks of privacy exposure, scalability in key management, flexible access, and efficient user revocation, have remained the most important challenges toward achieving fine-grained, cryptographically enforced data access control. In this paper, we propose a novel patient-centric framework and a suite of mechanisms for data access control to PHRs stored in semitrusted servers. To achieve fine-grained and scalable data access control for PHRs, we leverage attribute-based encryption (ABE) techniques to encrypt each patient's PHR file. Different from previous works in secure data outsourcing, we focus on the multiple data owner scenario, and divide the users in the PHR system into multiple security domains that greatly reduces the key management complexity for owners and users. A high degree of patient privacy is guaranteed simultaneously by exploiting multiauthority ABE. Our scheme also enables dynamic modification of access policies or file attributes, supports efficient on-demand user/attribute revocation and break-glass access under emergency scenarios. Extensive analytical and experimental results are presented which show the security, scalability, and efficiency of our proposed scheme.
The increasing criminal activities using digital information as the means or targets warrant for a structured manner in dealing with them. Since 1984 when a formalized process been introduced, a great number of new and improved computer forensic investigation processes have been developed. In this paper, we reviewed a few selected investigation processes that have been produced throughout the years and then identified the commonly shared processes. Hopefully, with the identification of the commonly shard process, it would make it easier for the new users to understand the processes and also to serve as the basic underlying concept for the development of a new set of processes. Based on the commonly shared processes, we proposed a generic computer forensics investigation model, known as GCFIM.
In recent years, a large number of identity- based key agreement protocols from pairings have been proposed. Some of them
are elegant and practical. However, the security of this type of protocol has been surprisingly hard to prove, even in the
random oracle model. The main issue is that a simulator is not able to deal with reveal queries, because it requires solving
either a computational problem or a decisional problem, both of which are generally believed to be hard (i.e., computationally
infeasible). The best solution so far for security proofs uses the gap assumption, which means assuming that the existence
of a decisional oracle does not change the hardness of the corresponding computational problem. The disadvantage of using
this solution to prove security is that such decisional oracles, on which the security proof relies, cannot be performed by
any polynomial time algorithm in the real world, because of the hardness of the decisional problem. In this paper we present
a method incorporating a built-in decisional function into the protocols. The function transfers a hard decisional problem
in the proof to an easy decisional problem. We then discuss the resulting efficiency of the schemes and the relevant security
reductions, in the random oracle model, in the context of different pairings one can use. We pay particular attention, unlike
most other papers in the area, to the issues which arise when using asymmetric pairings.
Log files are the primary source of recording users, applications and protocols, activities in the cloud ecosystem. Cloud forensic investigators can use log evidence to ascertain when, why and how a cyber adversary or an insider compromised a system by establishing the crime scene and reconstructing how the incident occurred. However, digital evidence acquisition in a cloud ecosystem is complicated and proven difficult, even with modern forensic acquisition toolkit. The multi-tenancy, Geo-location and Service-Level Agreement have added another layer of complexity in acquiring digital log evidence from a cloud ecosystem. In order to mitigate these complexities of evidence acquisition in the cloud ecosystem, we need a framework that can forensically maintain the trustworthiness and integrity of log evidence. In this paper, we design and implement a Blockchain Cloud Forensic Logging (BCFL) framework, using a Design Science Research Methodological (DSRM) approach. BCFL operates primarily in four stages: (1) Process transaction logs using Blockchain distributed ledger technology (DLT). (2) Use a Blockchain smart contract to maintain the integrity of logs and establish a clear chain of custody. (3) Validate all transaction logs. (4) Maintain transaction log immutability. BCFL will also enhance and strengthen compliance with the European Union (EU) General Data Protection Regulation (GDPR). The results from our single case study will demonstrate that BCFL will mitigate the challenges and complexities faced by digital forensics investigators in acquiring admissible digital evidence from the cloud ecosystem. Furthermore, an instantaneous performance monitoring of the proposed Blockchain cloud forensic logging framework was evaluated. BCFL will ensure trustworthiness, integrity, authenticity and non-repudiation of the log evidence in the cloud.
Identity-based encryption (IBE) is a powerful mechanism for maintaining security. However, systems based on IBE are unpopular when compared with those of the public-key encryption (PKE). In our opinion, one of the reasons is a gap between theory and practice. For example, a generic transformation of weakly/strongly robust IBE from any IBE has been proposed by Abdalla et al., no robust IBE scheme is explicitly given. This means that, theoretically, anyone can construct a weakly/strongly robust IBE scheme by employing this transformation. However, this seems not easily applicable to non-cryptographers. In this paper, we first introduce the Gentry IBE scheme constructed over Type-3 pairings by employing the transformation proposed by Abe et al., and second we explicitly give strongly/weakly robust Gentry IBE schemes by employing the Abdalla et al. transformation. Finally, we show its implementation result and show that we can add strong robustness to the Gentry IBE scheme with a very few additional costs. We employ the mcl library to support a Barreto-Naehrig curve defined over the 462-bit prime. The encryption requires about 5 ms, whereas the decryption requires about 9 ms.
This paper presents a Sensing-as-a-Service run-time Service Oriented Architecture (SOA), called 3SOA, for the development of Internet of Things (IoT) applications. 3SOA aims to allow interoperability among various IoT platforms and support service-oriented modelling at high levels of abstraction where fundamental SOA theories and techniques are fully integrated into a practical software engineering approach. 3SOA abstracts the dependencies of the middleware programming model from the application logic. This abstraction allows the development efforts to focus on writing the application logic independently from hardware platforms, middleware, and languages in which applications are programmed. To achieve this result, IoT objects are treated as independent entities that may interact with each other using a well-defined message exchange sequence. Each object is defined by the services it provides and the coordination protocol it supports. Objects are then able to coordinate their resources to address the global objectives of the system. To practically validate our proposals, we demonstrate an intelligent transportation system and data privacy functional prototypes as proof of concepts. The use cases show that 3SOA and the presented abstraction language allow the amalgamation of macroprogramming and node-centric programming to develop real-time and efficient applications over IoT.
Single sign-on (SSO) is becoming more and more popular in the Internet. An SSO ticket issued by the identity provider (IdP) allows an entity to sign onto a relying party (RP) on behalf of the account enclosed in the ticket. To ensure its authenticity, an SSO ticket is digitally signed by the IdP and verified by the RP. However, recent security incidents indicate that a signing system (e.g., certification authority) might be compromised to sign fraudulent messages, even when it is well protected in accredited commercial systems. Compared with certification authorities, the online signing components of IdPs are even more exposed to adversaries and thus more vulnerable to such threats in practice. This paper proposes ticket transparency to provide accountable SSO services with privacy-preserving public logs against potentially fraudulent tickets issued by a compromised IdP. With this scheme, an IdP-signed ticket is accepted by the RP only if it is recorded in the public logs. It enables a user to check all his tickets in the public logs and detect any fraudulent ticket issued without his participation or authorization. We integrate blind signatures, identity-based encryption and Bloom filters in the design, to balance transparency, privacy and efficiency in these security-enhanced SSO services. To the best of our knowledge, this is the first attempt to solve the security problems caused by potentially intruded or compromised IdPs in the SSO services.
In this paper, we present the enhancement of a lightweight key-policy attribute-based encryption (KP-ABE) scheme designed for the Internet of Things (IoT). The KP-ABE scheme was claimed to achieve ciphertext indistinguishability under chosen-plaintext attack in the selective-set model but we show that the KP-ABE scheme is insecure even in the weaker security notion, namely, one-way encryption under the same attack and model. In particular, we show that an attacker can decrypt a ciphertext which does not satisfy the policy imposed on his decryption key. Subsequently, we propose an efficient fix to the KP-ABE scheme as well as extending it to be a hierarchical KP-ABE (H-KP-ABE) scheme that can support role delegation in IoT applications. An example of applying our H-KP-ABE on an IoT-connected healthcare system is given to highlight the benefit of the delegation feature. Lastly, using the NIST curves secp192k1 and secp256k1, we benchmark the fixed (hierarchical) KP-ABE scheme on an Android phone and the result shows that the scheme is still the fastest in the literature.
Minecraft, a Massively Multiplayer Online Game (MMOG), has reportedly millions of players from different age groups worldwide. With Minecraft being so popular, particularly with younger audiences, it is no surprise that the interactive nature of Minecraft has facilitated the commission of criminal activities such as denial of service attacks against gamers, cyberbullying, swatting, sexual communication, and online child grooming. In this research, there is a simulated scenario of a typical Minecraft setting, using a Linux Ubuntu 16.04.3 machine (acting as the MMOG server) and Windows client devices running Minecraft. Server and client devices are then examined to reveal the type and extent of evidential artefacts that can be extracted.
In a multi-proxy multi-signature scheme, a group of original signers can delegate the signing rights to a group of proxy signers. All proxy signers cooperatively sign messages on behalf of the original group. Recently, Sahu and Padhye proposed an identity-based multi-proxy multi-signature (IBMPMS) scheme which was claimed to be secure against existential forgery on adaptive chosen-message and adaptive chosen-identity attacks in the random oracle model. However, in this paper, we indicate that Sahu-Padhye’s scheme is insecure by giving concrete attacks. In the end, we propose a new IBMPMS scheme and prove that it is secure in the random oracle model.
Hierarchical Identity Based Encryption (HIBE) enhances the scalability of Identity based encryption scheme, by sharing the workload of the root Private Key Generator (PKG) among multiple lower-level PKGs, facilitating intermediate key escrows and private key delegation. Owing to its structure, HIBE can be deployed to provide access control in cloud, pervasive computing systems, wireless sensor networks and Massively Multiplayer Online Role-Playing Games (MMORPGs). Additionally, HIBE can be used to perform search on encrypted data, forward secure encryption, fully private communication, limited delegation and damage control. This paper evaluates different approaches in the construction of HIBE protocols to determine practical frameworks. Specific criterions like cryptographic proof models, tightness of the reduction, recipient anonymity, hardness assumptions, bounded depth, revocability, types of pairing and ciphertext indistinguishability properties, were used as benchmarks for assessing each scheme. The efficiency in terms of storage and computation overhead, was estimated to identify suitable protocols for securing different computing environments. The future prospective applications of HIBE protocols were also investigated.
Data security is a worldwide problem, and there is a wide world of encryption solutions available to help solve this problem. Most of these products are developed and sold by for-profit entities, although some are created as free open-source projects. They are available, either for sale or free download, all over the world.In 1999, a group of researchers from George Washington University attempted to survey the worldwide market for encryption products [HB 99]. The impetus for their survey was the ongoing export controls. By collecting debate about US encryption information about 805 hardware and software encryption products from 35 countries outside the US, the researchers showed that restricting the export of encryption products did nothing to reduce their availability around the world, while at the same time putting US companies at a competitive disadvantage in the information security market.Seventeen years later, we have tried to replicate this survey.
We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups. We go on to consider Diffie-Hellman with 768- and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.
Identity-based non-interactive key exchange (IB-NIKE) is a powerful but a bit overlooked primitive in identity-based cryptography. While identity-based encryption and signature have been extensively investigated over the past three decades, IB-NIKE has remained largely unstudied. So far, there are only few IB-NIKE schemes in the literature. Among them, Sakai-Ohgishi-Kasahara (SOK) scheme is the first efficient and secure two-party IB-NIKE scheme, which has great influence on follow-up works. However, the SOK scheme required its identity mapping function to be modeled as a random oracle to prove security. Moreover, its existing security proof heavily relies on the ability of programming the random oracle. It is unknown whether such reliance is inherent. In this work, we intensively revisit the SOK IB-NIKE scheme and present a series of possible and impossible results in the random oracle model and the standard model. In the random oracle model, we first improve previous security analysis for the SOK IB-NIKE scheme by giving a tighter reduction. We then use meta-reduction technique to show that the SOK scheme is unlikely proven to be secure based on the computational bilinear Diffie-Hellman assumption without programming the random oracle. In the standard model, we show how to instantiate the random oracle in the SOK scheme with a concrete hash function from admissible hash functions (AHFs) and indistinguishability obfuscation. The resulting scheme is adaptively secure based on the decisional bilinear Diffie-Hellman inversion assumption. To the best of our knowledge, this is the first adaptively secure IB-NIKE scheme in the standard model that does not explicitly require multilinear maps. Previous schemes in the standard model either have merely selective security or require programmable hash functions from multilinear maps. At the technical heart of our scheme, we generalize the definition of AHFs and propose a generic construction which enables AHFs with previously unachieved parameters. This might be of independent interest. In addition, we present some new results about IB-NIKE. Firstly, we propose a generic construction of multiparty IB-NIKE from extractable witness PRFs and existentially unforgeable signatures. Secondly, we investigate the relation between semi-adaptive security and adaptive security of IB-NIKE. Somewhat surprisingly, we show that these two notions are polynomially equivalent.
Among the three broad classes of Identity-Based Encryption schemes built from pairings, the exponent inversion paradigm tends
to be the most efficient, but also the least extensible: currently there are no hierarchical or other known extension of IBE
based on those schemes. In this work, we show that such extensions can be realized from IBE systems that conform to a certain
abstraction of the exponent inversion paradigm. Our method requires no random oracles, and is simple and efficient.
In this paper, we propose a three participants variation of the Diffie-Hellman protocol. This variation is based on the Weil
and Tate pairings on elliptic curves, which were first used in cryptography as cryptanalytic tools for reducing the discrete
logarithm problem on some elliptic curves to the discrete logarithm problem in a finite field.
In this paper we propose a three participants variation of the
Diffie--Hellman protocol. This variation is based on the Weil and Tate
pairings on elliptic curves, which were first used in cryptography as
cryptanalytic tools for reducing the discrete logarithm problem on some
elliptic curves to the discrete logarithm problem in a finite field.
Many research papers in pairing-based cryptography treat pairings as a “black box”. These papers build cryptographic schemes making use of various properties of pairings. If this approach is taken, then it is easy for authors to make invalid assumptions concerning the properties of pairings. The cryptographic schemes developed may not be realizable in practice, or may not be as efficient as the authors assume.The aim of this paper is to outline, in as simple a fashion as possible, the basic choices that are available when using pairings in cryptography. For each choice, the main properties and efficiency issues are summarized. The paper is intended to be of use to non-specialists who are interested in using pairings to design cryptographic schemes.
We propose a three participants variation of the Diffie-Hellman protocol. This variation is based on the Weil and Tate pairings on elliptic curves, which were first used in cryptography as cryptanalytic tools for reducing the discrete logarithm problem on some elliptic curves to the discrete logarithm problem in a finite field.
We present a novel public key cryptosystem in which the public key of a subscriber can be chosen to be a publicly known value,
such as his identity. We discuss the security of the proposed scheme, and show that this is related to the difficulty of solving
the quadratic residuosity problem
An identity-based encryption (IBE) scheme can greatly reduce the complexity of sending encrypted messages. However, an IBE
scheme necessarily requires a private-key generator (PKG), which can create private keys for clients, and so can passively
eavesdrop on all encrypted communications. Although a distributed PKG has been suggested as a way to mitigate this key escrow
problem for Boneh and Franklin’s IBE scheme, the security of this distributed protocol has not been proven. Further, a distributed
PKG has not been considered for any other IBE scheme.
In this paper, we design distributed PKG setup and private key extraction protocols for three important IBE schemes; namely,
Boneh and Franklin’s BF-IBE, Sakai and Kasahara’s SK-IBE, and Boneh and Boyen’s BB1\mbox{BB}_1-IBE. We give special attention to the applicability of our protocols to all possible types of bilinear pairings and prove
their IND-ID-CCA security in the random oracle model against a Byzantine adversary. Finally, we also perform a comparative
analysis of these protocols and present recommendations for their use.
The pairings on elliptic curves have been applied for realizing the secure ID based cryptosystems that can be invulnerable to the collusion attacks. The computation of the pairing are necessary for the cryptosystems, though the computation of the pairing requires high cost compared with the computation cost for the power operation over the finite fields or on the elliptic curve when the parameters are securely to be provided.
An identity-based ring signcryption scheme in ideal lattice
- Sun
Y. Sun, W. Zheng, An identity-based ring signcryption scheme in ideal
lattice, J. Netw. Intell. 3 (3) (2018) 152-161.
Digital forensics: Review of issues in scientific validation of digital evidence
- Arshad
Cryptosystems based on pairing
- Sakai
Elliptic curve cryptography (ECC)
- A Kumar
- A Jerome
- G Khanna
- H Veladanda
- H Ly
- N Chai
- R Andrews
A. Kumar, A. Jerome, G. Khanna, H. Veladanda, H. Ly, N. Chai, R. Andrews,
Elliptic curve cryptography (ECC). Certificates performance analysis,
2013, https://www.websecurity.digicert.com/content/dam/websitesecurity/
digitalassets/desktop/pdfs/whitepaper/Elliptic_Curve_Cryptography_ECC_
WP_en_us.pdf. (Accessed 3 April 2021).
3-2013 -IEEE standard for identity-based cryptographic techniques using pairings
- Ieee
IEEE, IEEE 1363.3-2013 -IEEE standard for identity-based cryptographic
techniques using pairings, 2013, https://standards.ieee.org/standard/1363_
3-2013.html. (Accessed 3 April 2021).
Multiprecision integer and rational arithmetic cryptographic library
- M C Sdk
M.C. SDK, Multiprecision integer and rational arithmetic cryptographic
library, 2021, https://github.com/miracl/MIRACL. (Accessed 3 April 2021).