Earticle

In this paper, we will merge between the usages of DNA sequences and Residue number system in encryption systems. The message which is coded will be secretly impeded inside the DNA sequence. This merge will be leaded to perform multilayer encryption with different keys - that can be used as a hash function - versatile alternatively to increase the security and more flexibility, with less complexity. As the security is one of the most important issues in communication systems, the evolvement of cryptography and cryptographic analysis are considered as the fields of ongoing research. This field is becoming very promising. Thus, a straight forward algorithm that achieves efficiency as multi-layer encryption techniques are implemented.

This paper presents a technique for secret communication using cryptography and steganography. The cryptographic algorithm is a block cipher with a block length of 128 bits and key length of 256 bits. The secret message is encrypted by this block cipher. Two cipher text bits are to be embedded in each pixel of the image. Each pixel is 8 bits. The embedding locations in a pixel are: 6th and 7th bit locations or 7th and 6th bit locations or 7th and 8th bit locations or 8th and 7th bit locations depending upon the cipher text bits. The 8th bit means the least significant bit (LSB). As the embedding locations are decided at the run time of the algorithm, so it is called as dynamic steganography. The technique is experimented and results are discussed.

Cloud computing is a model for enabling service user’s ubiquitous, convenient and on-demand network access to a shared pool of configurable computing resources. The security for Cloud Computing is emerging area for study and this paper provide security topic in terms of cloud computing based on analysis of Cloud Security treats and Technical Components of Cloud Computing.

Routing policy configurations are one of the crucial element of network configurations since they deal with a network’s connectivity, quality of service, and security. However, the languages and user interfaces used to configure routing policies are not well suited to network operators’ needs. This often leads to configuration errors and lengthens the time taken to resolve problems. To better understand the causes of this problem, we analyze configuration errors that we collected in four production networks over an eight-month period. We also learn from network operators, who provide feedback about the features that cause mistakes and delays. We observe that current routing policy configuration management have four major problems, including both technical and usability problems: (i) the large number of obsolete and irrelevant configurations, (ii) subtle interactions with multiple relevant technologies, (iii) the overlapping, complex set of configuration options, and (iv) insufficient support for the efficient reuse of common configuration segments. Based on this observation, we propose a set of guidelines for creating more usable configuration management.

Phishing is an online theft of sensitive information that swindles innocent users into disclosing private information such as user names, passwords, and credit card numbers. The reported number of phishing attacks is growing daily, hence, the loss of the resulting damages are escalating. As a result, there is an urgent need for anti-phishing solutions that is arisen by researchers as well as the IT industry worldwide. Although a number of solutions to mitigate phishing attacks have been proposed, yet they still suffer from high false positive and negative results as well as questioning the feasibility of their implementation. In this work, we propose a system for client-side defenses such as browser plug-ins and classification techniques that are adopted in such detection scenarios. The system inspects the HTML pages as an annotated document represented or embedded in XHTML format using RDF annotations. While the proposed solution has been tested using real sites acquired from the World Wide Web and government agencies concerned on the problem , the method has a better detection accuracy that reaches 96% while false positive rate decreased to 4%. The results show a promising findings in the area of phishing detection that requires hand-in-hand collaboration between various banking branches and the country’s central or authorized bank. Additionally, the system notifies the corresponding bank about the phishing web sites, and the bank in turn notifies its clients.

Quantum Key Distribution (QKD) is a secure key distribution technology, which provides information theoretic or unconditional security. BBN DARPA quantum network and SECOQC network of secrets are the examples of such networks. Research is also in progress for the integration of QKD with the protocols in different layers of OSI model. Integration of QKD in point-to-point protocol (PPP) OSI layer 2 and with IPSEC at OSI layer-3 are the examples of such research efforts. All these steps are leading towards the utilization of QKD technology for enhancing the security of modern computing applications on the Internet. This paper presents a model for the exploitation of QKD security networks in high performance distributed computing applications, such as grid computing.

Mostly user select password that is predictable. This happens with both graphical and text based passwords. Users tend to choose memorable password, unfortunately it means that the passwords tend to follow predictable patterns that are easier for attackers to guess. While the predictability problem can be solved by disallowing user choice and assigning passwords to users, this usually leads to usability issues since users cannot easily remember such random passwords. Numbers of graphical password systems have been developed; Study shows that text-based passwords suffer with both security and usability problems. According to a recent news article, a security team at a company ran a network password cracker and within 30 seconds and they identified about 80% of the passwords. It is well know that the human brain is better at recognizing and recalling images than text, graphical passwords exploit this human characteristic. We proposed a sound signature graphical password consists of user-chosen click points in a displayed image. In order to store passwords in cryptographically hashed form, we need to prevent small uncertainties in the click points from having any effect on the password. We achieve this by introducing a robust discrimination, based on multigrid discrimination.

To improve security of mobile device graphical password towards shoulder surfing attack, an anti-shoulder surfing mechanism called Painting Album Mechanism is proposed. This mechanism is constructed based on concept of painting album, and it is consists of three input schemes called Swipe Scheme, Color Scheme, and Scot Scheme. In this paper, usability of this mechanism have been verifying with the memorability test. 30 respondents were authenticating with these three input schemes with multiple authentications. Results were showing Painting Album Mechanism is usable since respondents were succeeding in recalling theirs passwords in acceptable period of time.

Most forensic models focus on the investigative process and its different phases and are characterized by a rather informal and intuitive approach. This paper proposes an abstract model of the digital forensic model based on a new flow-based specification methodology. It is shown in examples that the method can uniformly specify the forensic process in various phases and across roles. It also provides more exact description where “things” (e.g., information, evidence) are separated into different streams of flow.

Web Services are applications that perform desired tasks. Such as basic network connectivity to sophisticated compound tasks. Service Composition is the construction of complex services to enable different tasks. Therefore, enabling a rapid and effective composite of services is crucial point in efficiency of composite web services. This paper introduces a new algorithm for effective construction of the primitive services according to their quality criteria. A trust based ranking algorithm is employed to diminish the service with lower qualities.

This study describes a modular arithmetic-based signing scheme called NDSP which combines essentially optimal efficiency with attractive security properties. Signing takes one RSA decryption plus some hashing, verification takes one RSA encryption plus some hashing, and the size of the signature is the size of the modulus. Assuming the underlying hash functions are ideal, our schemes are not only provably secure, but are so in a tight way— an ability to forge signatures with a certain amount of computational resources implies the ability to invert RSA (on the same size modulus) with about the same computational effort.

Mining operations represent an economic activity with plenty of decision problems involving risk and uncertainty. While underlying risks do not vary significantly from year to year, their level of acuteness and priority can change depending on the economic environment. With the development of economic globalization, China’s mining companies are exposed to a higher than average level of risks, especially risks from political and economic policies of the host country, as well as financials. This paper works through various risk scenarios and performs impact analysis, and then gives suggestions about risk management and control from both macro and micro perspectives.

Many various kinds of network applications have arisen due to rapid development of network techniques. For preventing sensitive personal information from being disclosed on an open and unsecure network, it is necessary to provide some appropriate secure protocols. Concerning secure protocols, key agreement and authentication between user and server are paramount. In 2010, Cui and Cao proposed a secure anonymous key agreement for distributed networks, in which users collect other identities to utilize in communication so attackers cannot determine the real identity of the user. However, this protocol suffers the drawback of high calculation requirements. In this paper, we adopt Elliptic Curve Cryptography (ECC) to reduce the computational cost in Cui and Cao’s protocol, and propose an indexing trick to speed up searches of legitimate users. Our proposed scheme maintains the characteristic of obfuscating user identity to thwart identification attempts.

A convertible authenticated encryption scheme simultaneously provides the functions of integration, authentication, confidentiality, and non-repudiation. A signer generates an authenticated ciphertext signature on the chosen message. So that only a designated recipient can recover the message by using her/his secret key and verify the message by using the signer's public key. If there is a dispute, the recipient is able to convert the authenticated ciphertext signature into an ordinary signature that can be veri칎d by anyone. This paper separately points out that any adversary can forge a converted signature in Araki's scheme and Ma-Chen's scheme. Moreover, we further improve the weakness in Wu-Hsu's scheme, which is to convert the signature into an ordinary one should divulge the message. The im- proved scheme not only solves the weakness but also reduces the computational complexities in both sides of signer and recipient. Furthermore, the proposed convertible authenticated encryption scheme is extended for multiple recipients. The message can be recovered and veri칎d by a group with multiple recipients.

This paper analyzes the existing formal security models of three-party authentication and key distribution protocol for 802.11i, which are extended BR and Extended CK models. We propose the flaw about the definition of session identifier in Extended CK model and present the limitation of matching conversation defined in Extended BR model .In order to fix these problems and provide a perfect model for provable security protocol, a new stronger formal security model of three-party authentication and key distribution protocol is defined by “efficient AP” according to the rules of 802.11i standard, and we present a new provable secure EAP-TLS protocol in our model. The new formal security model proposes a better method to design provable security three-party authentication and key distribution protocol in WLAN. In addition, this paper also suggests an idea to define the authentication relationships in special application environment.

In this paper, we designed a document security checkpoint for inspecting leakage of sensitive documents including military information from the internal to the outside network. Our designed model checks all documents when they are downloaded, sent, and printed. The model consists of four modules: authentication module, access control module, misuse monitor module, and tracking module. The authentication module checks the insider’s information and after which allows an insider to log on to the system. The access control module authorizes an insider to do operations (read, write) according to his role and security level. The pattern monitor module watches an insider’s abnormal access on documents as comparing the insider’s actual process to current process profile in database. The tracking module traces documents sent outside and verifies fabrication of documents. The document security checkpoint prevents indiscriminate access to documents and it does not allow access to documents unrelated to the insider’s duty and security level. Even though the document is illegally leaked by an insider, it can be tracked by watermarking techniques in tracking module.

Recently user privacy becomes an important security goal in most computer applications especially in context aware services. One of the most popular services in this field is location-based services (LBSs) that deliver the desired data based on the user’s location. Although these services make the life easier, they lead to a privacy risk. To get the desired services, a user should disclose her location; so her location privacy is threatened. In this paper we consider a group of users who wants to use a location-based service while preserving their location privacy. We propose a solution for this scenario and compare it with the previous solution. Analysis of our protocol shows the effectiveness of the proposed approach in terms of computation and communication costs.

In this paper, we analyze relationships between EFT (Electronic Financial Transaction) Act of Korea and risk assessment standards and propose the map that helps financial institutions determine the priority of security control areas. It is a new method for financial information security risk identification and assessment through correlation analysis between the variety security standards and requirements. We attempt to integrate different information security standards and propose risk assessment measures specializing in financial companies based on the mixed methods of quantitative and qualitative methods to determine the priority through the calculation of weights. From the results of correlation analysis, three main security control areas are found to be more important than other areas and it can be utilized as a risk management measure about security countermeasures. In addition, financial companies should improve three main security control areas in an interval of at least 10 months. We expect that our result can be provided to security manager and IT auditor for establishment of risk mitigation strategies as basic data.

The dissemination and use of mobile applications have been rapidly expanding these days. And in such a situation, the security of mobile applications has emerged as a new issue. Especially, the software including mobile applications will always exist the possibility of malicious attacks by hackers, because it exchanging data in the internet environment. These security weaknesses are the direct cause of software breaches causing serious economic loss. In recent years, the awareness that developing secure software is intrinsically the most effective way to eliminate the software vulnerability than strengthening the security system for the external environment has increased. Therefore, Methodology to eliminate the vulnerability using secure coding rules and checking tools is getting attention to prevent software breaches in the coding stage. However, the existing coding rules do not reflects the characteristics of the mobile environments and the applications. In this paper, we will define the secure coding rules that reflect the characteristics of the mobile environments and applications by the analysis of the existing secure coding rules. And, we will design and implement the compiler to inspect vulnerabilities of the mobile applications using defined secure coding rules in the coding stage.

Side Channel Attacks are known to be effective in cracking secret keys utilized in smart cards, electronic passports, and e-ID cards. A combination of masking and shuffling methods has been proposed as a practical countermeasure to such attacks. Using a template attack (TA), S. Tillich recently analyzed an AES using masking and shuffling techniques with a biased-mask attack technique. To apply this method, however, we need to collect the template information on the masking value in advance. Moreover, this method requires knowing the exact time position of the target masking value for a higher probability of success. In this paper, we suggest a new practical method called a Biasing Power Analysis (BPA) to find a secret key used in an AES based on a masking-shuffling method without the use of the time position and template information of the masking value. We conducted an experiment on a BPA attack against a 128-bit AES secret key based on a masking-shuffling method operating on an MSP430 chip and succeeded in finding the entire secret key. The results of this study can be utilized for next-generation ID cards to verify their physical safety.

There has been an increase in the services and contents based on heterogeneous multiple media in the wake of the emergence of various smart devices. However, it is difficult to share the services and contents because the smart devices adopt independent OS. HTML5 has come under the limelight which provides the interoperability and can solve such a problem. Nonetheless, the standardization for HTML5 has yet to be completed, making it difficult to achieve the integrated authentication for safe use of services. This paper presents the user profile design method for the integrated authentication within the service based on HTML5. We intend to discuss the measure which enables the integrated management of personal information within the heterogeneous devices using the designed integrated user profile information and can help provide the authentication by phase depending on the selection of user.