In this paper, we propose TwinCloud as a client-side solution providing a secure system to users without compromising the usability of cloud sharing. TwinCloud brings a novel solution to the complex key exchange problem and provides a simple and practical approach to store and share files by hiding all the cryptographic and key-distribution operations from users. Serving as a gateway, TwinCloud stores the encryption keys and encrypted files in separate clouds which ease the secure sharing without a need for trust to either of the cloud service providers with the assumption that they do not collude with each other. TwinCloud is a lightweight application and available as open-source.

IT system risk assessments are indispensable due to increasing cyber threats within our ever-growing IT systems. Moreover, laws and regulations urge organizations to conduct risk assessments regularly. Even though there exist several risk management frameworks and methodologies, they are in general high level, not defining the risk metrics, risk metrics values and the detailed risk assessment formulas for different risk views. To address this need, we define a novel risk assessment methodology specific to IT systems. Our model is quantitative, both asset and vulnerability centric and defines low and high level risk metrics. High level risk metrics are defined in two general categories; base and attack graph-based. In our paper, we provide a detailed explanation of formulations in each category and make our implemented software publicly available for those who are interested in applying the proposed …

Trusted Execution Environments (TEEs) provide hardware support to isolate the execution of sensitive operations on mobile phones for improved security. However, they are not always available to use for application developers. To provide a consistent user experience to those who have and do not have a TEE-enabled device, we could get help from Open-TEE, an open-source GlobalPlatform (GP)-compliant software TEE emulator. However, Open-TEE does not offer any of the security properties hardware TEEs have. In this paper, we propose WhiteBox-TEE which integrates white-box cryptography with Open-TEE to provide better security while still remaining complaint with GP TEE specifications. We discuss the architecture, provisioning mechanism, implementation highlights, security properties and performance issues of WhiteBox-TEE and propose possible revisions to TEE specifications to have better use of …

Phishing is a malicious form of online theft and needs to be prevented in order to increase the overall trust of the public on the Internet. In this study, for that purpose, the authors present their findings on the methods of detecting phishing websites. Data mining algorithms along with classifier algorithms are used in order to achieve a satisfactory result. In terms of classifiers, the Naïve Bayes, SMO, and J48 algorithms are used. As for the feature selection algorithm; Gain Ratio Attribute and ReliefF Attribute are selected. The results are provided in a comparative way. Accordingly; SMO and J48 algorithms provided satisfactory results in the detection of phishing websites, however, Naïve Bayes performed poor and is the least recommended method among all.

The current best practice dictates that even when the correct username and password are entered, the system should look for login anomalies that might indicate malicious attempts. Most anomaly detection approaches examine static properties of user’s contextual data such as IP address, screen size and browser type. Keystroke Dynamics bring additional security measure and enable us to use individuals’ keystroke behaviour to decide legitimacy of the user. In this paper, we first analyze different anomaly detection approaches separately and then show accuracy improvements when we combine these solutions with various methods. Our results show that including keystroke dynamics scores in session context anomaly component as a new feature performs better than ensemble methods with different weights for session context and keystroke dynamics components. We argue that this is due to the opportunity to …

Deploying Two-Factor Authentication (2FA) is one of the highly-recommended security mechanism against account hijacking attacks. One of the common methods for 2FA is to bring something you know and something you have factors together. For the latter we have options including USB sticks, smart cards, SMS verification, and one-time password values generated by mobile applications (soft OTP). Due to the cost and convenience reasons, deploying 2FA via soft OTPs is more common. However, unlike smart cards which have tamper resistance property, attackers can access smartphones remotely or physically so that they can fetch shared secret seed value - an important security risk for mobile authenticators. For this reason, it is critical to analyze mobile authenticator applications in this context. In this paper, we report our findings after analyzing eleven different Android authenticator applications. We report …

Internet of Things (IoT) brings not only wide range of opportunities but also security and privacy concerns. Consisting of many connected devices used in a highly interactive way, one of the main security concerns in IoT is unauthorized access. Traditional access control models do not support dynamic and fine-grained access control policies. Attribute-Based Access Control (ABAC) model is usually considered the most satisfactory access control model for running IoT applications. In this paper, we propose to take into the user authentication matching score obtained from a biometric authentication system consideration during making access control decisions. We emphasize the need of fine-grained access control and suggest to create access control policies per functionality of the device instead of per device regarding to the least privilege principle of information security. We give full or partial permission to certain …

White-box cryptography challenges the assumption that the end points are trusted and aims at providing protection against an adversary more powerful than the one in the traditional black-box cryptographic model. Most existing white-box implementations focus on symmetric encryption. In particular, we are not aware of any previous work on general-purpose quantum-safe digital signature schemes also secure against white-box attackers. We present white-box implementations for hash-based signatures so that the security against white-box attackers depends on the availability of a white-box secure pseudorandom function (in addition to a general one-way function). We also present a hash tree-based solution for one-time passwords secure in a white-box attacker context. We implement the proposed solutions and share our performance results.

COVID-19 pandemic and lockdowns forced employees across the world to work from home. Remote working has become a necessity rather than a choice. However, in order to meet this increasing demand, the most pressing security concerns of organizations should be addressed. In this paper, we present the design and implementation of ProGun, an end-point device (a USB dongle) for remote working. We present the hardware/software co-design of ProGun, by which most security risks due to lack of physical protection could be mitigated. We also discuss choices we made among many alternatives for user authentication and their security and usability implications in a remote working environment.

Operating system and browser support that comes with the FIDO2 standard and the biometric user verification options increasingly available on smart phones has excited everyone, especially big tech companies, about the passwordless future. Does a dream come true, are we finally totally getting rid of passwords? In this position paper, we argue that although passwordless authentication may be preferable in certain situations, it will be still not possible to eliminate passwords on the web in the foreseeable future. We defend our position with five main reasons, supported either by the results from the recent literature or by our own technical and business experience. We believe our discussion could also serve as a research agenda comprising promising future work directions on (passwordless) user authentication.

Smart home technologies constantly bring significant convenience to our daily lives. Unfortunately, increased security risks accompany this convenience. There can be severe consequences when unauthorized or malicious users gain access to smart home devices. Therefore, dependable and comprehensive access control models are needed to address the security concerns. To this end, the attribute-based access control (ABAC) model is usually considered the most satisfactory access control model for running IoT applications. However, the uncertainty left with the authentication stage should be carried to the authorization policy specification. In this work, we extend the ABAC model by carrying the assurance level of user authentication obtained from biometric authentication systems for authorization. The extended ABAC model quantifies how far the authentication matching score is from the predefined threshold …