IEEE 2016 / 17 - Web Security
IEEE 2016 : An Exploration of Geographic Authentication Schemes
IEEE 2016 Web Security
Abstract:—We design and explore the usability and security of two geographic authentication schemes: GeoPass and GeoPass-Notes. GeoPass requires users to choose a place on a digital map to authenticate with (a location password). GeoPass Notes—an extension of GeoPass—requires users to annotate their location password with a sequence of words that they can associate with the location (an annotated location password). In GeoPass Notes, users are authenticated by correctly entering both a location and an annotation. We conducted user studies to test the usability and assess the security of location passwords and annotated location passwords. The results indicate that both the variants are highly memorable, and that annotated location passwords may be more advantageous than location passwords alone due to their increased security and the minimal usability impact introduced by the annotation.
IEEE 2016 : Dummy-Based User Location Anonymization Under Real-World Constraints
IEEE 2016 Web Security
Abstract:—According to the growth of mobile devices equipped with a GPS receiver, a variety of locationbased services (LBSs) have been launched. Since location information may reveal private information, preserving location privacy has become a signi_cant issue. Previous studies proposed methods to preserve a users' privacy; however, most of them do not take physical constraints into consideration. In this paper, we focus on such constraints and propose a location privacy preservation method that can be applicable to a real environment. In particular, our method anonymizes the user's location by generating dummies which we simulate to behave like real human. It also considers traceability of the user's locations to quickly recover from an accidental reveal of the user's location. We conduct an experiment using five users' real GPS trajectories and compared our method with previous studies. The results show that our method ensures to anonymize the user's location within a pre-determined range. It also avoids fixing the relative positions of the user and dummies, which may give a hint for an LBS provider to identify the real user. In addition, we conducted a user experiment with 22 participants to evaluate the robustness of our method against humans. We asked participants to observe movements of a user and dummies and try to _nd the real user. As a result, we confirmed that our method can anonymize the users' locations even against human's observation.
IEEE 2016 : Privacy-Preserving Location Sharing Services for Social Networks
IEEE 2016 Web Security
Abstract:—A common functionality of many location-based social networking applications is a location sharing service that allows a group of friends to share their locations. With a potentially untrusted server, such a location sharing service may threaten the privacy of users. Existing solutions for Privacy-Preserving Location Sharing Services (PPLSS) require a trusted third party that has access to the exact location of all users in the system or rely on expensive algorithms or protocols in terms of computational or communication overhead. Other solutions can only provide approximate query answers. To overcome these limitations, we propose a new encryption notion, called Order-Retrievable Encryption (ORE), for PPLSS for social networking applications. The distinguishing characteristics of our PPLSS are that it (1) allows a group of friends to share their exact locations without the need of any third party or leaking any location information to any server or users outside the group, (2) achieves low computational and communication cost by allowing users to receive the exact location of their friends without requiring any direct communication between users or multiple rounds of communication between a user and a server, (3) provides efficient query processing by designing an index structure for our ORE scheme, (4) supports dynamic location updates, and (5) provides personalized privacy protection within a group of friends by specifying a maximum distance where a user is willing to be located by his/her friends. Experimental results show that the computational and communication cost of our PPLSS is much better than the state-of-the-art solution.
IEEE 2016 : STAMP: Enabling Privacy-Preserving Location Proofs for Mobile Users
IEEE 2016 Web Security
Abstract:—Location-based services are quickly becoming immensely popular. In addition to services based on users' current location, many potential services rely on users' location history, or their spatial-temporal provenance. Malicious users may lie about their spatial-temporal provenance without a carefully designed security system for users to prove their past locations. In this paper, we present the Spatial-Temporal provenance Assurance with Mutual Proofs (STAMP) scheme. STAMP is designed for ad-hoc mobile users generating location proofs for each other in a distributed setting. However, it can easily accommodate trusted mobile users and wireless access points. STAMP ensures the integrity and non-transferability of the location proofs and protects users' privacy. A semi-trusted Certification Authority is used to distribute cryptographic keys as well as guard users against collusion by a light-weight entropy-based trust evaluation approach. Our prototype implementation on the Android platform shows that STAMP is low-cost in terms of computational and storage resources. Extensive simulation experiments show that our entropy-based trust model is able to achieve high collusion detection accuracy.
PRISM: PRivacy-aware Interest Sharing and Matching in Mobile Social Networks
IEEE 2016 Web Security
Abstract:—In a profile matchmaking application of mobile social networks, users need to reveal their interests to each other in order to find the common interests. A malicious user may harm a user by knowing his personal information. Therefore, mutual interests need to be found in a privacy preserving manner. In this paper, we propose an efficient privacy protection and interests sharing protocol referred to as PRivacy-aware Interest Sharing and Matching (PRISM). PRISM enables users to discover mutual interests without revealing their interests. Unlike existing approaches, PRISM does not require revealing the interests to a trusted server. Moreover, the protocol considers attacking scenarios that have not been addressed previously and provides an efficient solution. The inherent mechanism reveals any cheating attempt by a malicious user. PRISM also proposes the procedure to eliminate Sybil attacks. We analyze the security of PRISM against both passive and active attacks. Through implementation, we also present a detailed analysis of the performance of PRISM and compare it with existing approaches. The results show the effectiveness of PRISM without any significant performance degradation.
IEEE 2016 : Single-sample Face Recognition Based on LPP Feature Transfer
IEEE 2016 Web Security
Abstract:—Due to its wide applications in practice, face recognition has been an active research topic. With the availability of adequate training samples, many machine learning methods could yield high face recognition accuracy. However, under the circumstance of inadequate training samples, especially the extreme case of having only a single training sample, face recognition becomes challenging. How to deal with conflicting concerns of the small sample size and high dimensionality in one-sample face recognition is critical for its achievable recognition accuracy and feasibility in practice. Being different from conventional methods for global face recognition based on generalization ability promotion and local face recognition depending on image segmentation, a single-sample face recognition algorithm based on Locality Preserving Projection (LPP) feature transfer is proposed here. First, transfer sources are screened to obtain the selective sample source using the whitened cosine similarity metric. Secondly, we project the vectors of source faces and target faces into feature sub-space by LPP respectively, and calculate the feature transfer matrix to approximate the mapping relationship on source faces and target faces in subspace. Then, the feature transfer matrix is used on training samples to transfer the original macro characteristics to target macro characteristics. Finally, the nearest neighbor classifier is used for face recognition. Our results based on popular databases FERET, ORL and Yale demonstrate the superiority of the proposed LPP feature transfer based one-sample face recognition algorithm when compared with popular single-sample face recognition algorithms such as (PC)2A and Block FLDA.
A Shoulder Surfing Resistant Graphical Authentication System
IEEE 2016 Web Security
Abstract:—Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as ”the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.
Captcha as Graphical Passwords—A New Security Primitive Based on Hard AI Problems
Abstract— Many security primitives are based on hard mathematical problems. Using hard AI problems for security is emerging as an exciting new paradigm, but has been underexplored. In this paper, we present a new security primitive based on hard AI problems, namely, a novel family of graphical password systems built on top of Captcha technology, which we call Captcha as graphical passwords (CaRP). CaRP is both a Captcha and a graphical password scheme. CaRP addresses a number of security problems altogether, such as online guessing attacks, relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. Notably, a CaRP password can be found only probabilistically by automatic online guessing attacks even if the password is in the search set. CaRP also offers a novel approach to address the well-known image hotspot problem in popular graphical password systems, such as Pass Points, that often leads to weak password choices. CaRP is not a panacea, but it offers reasonable security and usability and appears to fit well with some practical applications for improving online security.
2.Online Payment System using Steganography and Visual Cryptography
Abstract— A rapid growth in E-Commerce market is seen in recent time throughout the world. With ever increasing popularity of online shopping, Debit or Credit card fraud and personal information security are major concerns for customers, merchants and banks specifically in the case of CNP (Card Not Present). This paper presents a new approach for providing limited information only that is necessary for fund transfer during online shopping thereby safeguarding customer data and increasing customer confidence and preventing identity theft. The method uses combined application of steganography and visual cryptography for this purpose.
Abstract— Equipped with state-of-the-art smart phones and mobile devices, today’s highly interconnected urban population is increasingly dependent on these gadgets to organize and plan their daily lives. These applications often rely on current (or preferred) locations of individual users or a group of users to provide the desired service, which jeopardizes their privacy; users do not necessarily want to reveal their current (or preferred) locations to the service provider or to other, possibly untrusted, users. In this paper, we propose privacy-preserving algorithms for determining an optimal meeting location for a group of users. We perform a thorough privacy evaluation by formally quantifying privacy-loss of the proposed approaches. In order to study the performance of our algorithms in a real deployment, we implement and test their execution efficiency on Nokia smart phones. By means of a targeted user-study, we attempt to get an insight into the privacy-awareness of users in location based services and the usability of the proposed solutions.
Abstract— Using geo-social applications, such as Four Square, millions of people interact with their surroundings through their friends and their recommendations. Without adequate privacy protection, however, these systems can be easily misused, e.g., to track users or target them for home invasion. In this paper, we introduce LocX, a novel alternative that provides significantly-improved location privacy without adding uncertainty into query results or relying on strong assumptions about server security. Our key insight is to apply secure user-specific, distance-preserving coordinate transformations to all location data shared with the server. The friends of a user share this user’s secrets so they can apply the same transformation. This allows all location queries to be evaluated correctly by the server, but our privacy mechanisms guarantee that servers are unable to see or infer the actual location data from the transformed data or from the data access. We show that LocX provides privacy even against a powerful adversary model, and we use prototype measurements to show that it provides privacy with very little performance overhead, making it suitable for today’s mobile devices.
Abstract— Distributed computing is a method of computer processing in which different parts of a program run simultaneously on two or more computers that are communicating with each other over a system. Distributed computing is a type of segmented or corresponding computing, but the last term is most usually used to refer to dispensation in which different parts of a program run simultaneously on two or more processors that are part of the same computer. Beside all this there is security issues arise. Through insecure environment distribute the data to get the leakage problem inside the network communication or exchanges the resources of content information specification process. Previous system it cannot provides any verification and validation results specification process. There is no perfect encrypted format of data; it can contain less computational resources of information. In present system we are going to implement robust design with perfect security constraints. We also were implementing Linear Programming Condition and Fully Homomorphic encryption technique.
Abstract— E-banking services vitally need comprehensive secure and simple authentication methods in order to be universally spread. In this paper, a new method of authentication was propose and tested. This method uses templates in addition to passwords which are received in registration process. Template provides benefits of one-time passwords in practice, and can thwart common attacks of the context. Template can be as simple as using week-days or even simpler, as parity of the day. Each template can be added to the either end of passwords, therefore there would be numerous templates with two possible positions each; which provide security as well as simplicity. These templates can be changed by various parameters, e.g. time, and generating different passwords. This method can provides ease of use for users as well as security; which the former could be important for a wide range of users such as the elder liess.
Abstract— Most of the existing authentication system has certain drawbacks for that reason graphical passwords are most preferable authentication system where users click on images to authenticate themselves. An important usability goal of an authentication system is to support users for selecting the better password. User creates memorable password which is easy to guess by an attacker and strong system assigned passwords are difficult to memorize. So researchers of modern days gone through different alternative methods and conclude that graphical passwords are most preferable authentication system. The proposed system combines the existing cued click point technique with the persuasive feature to influence user choice, encouraging user to select more random click point which is difficult to guess.
Abstract— Usable security has unique usability challenges because the need for security often means that standard human-computer-interaction approaches cannot be directly applied. An important usability goal for authentication systems is to support users in selecting better passwords. Users often create memorable passwords that are easy for attackers to guess, but strong system-assigned passwords are difficult for users to remember. So researchers of modern days have gone for alternative methods wherein graphical pictures are used as passwords. Graphical passwords essentially use images or representation of images as passwords. Human brain is good in remembering picture than textual character. There are various graphical password schemes or graphical password software in the market. However, very little research has been done to analyze graphical passwords that are still immature. There for, this project work merges persuasive cued click points and password guessing resistant protocol. The major goal of this work is to reduce the guessing attacks as well as encouraging users to select more random, and difficult passwords to guess. Well known security threats like brute force attacks and dictionary attacks can be successfully abolished using this method.