Perancangan Spesifikasi Keamanan untuk Pengembangan Aplikasi Secure Chat Berdasarkan Common Criteria For It Security Evaluation

<p class="Abstrak">Spesifikasi keamanan sangat penting bagi pengembangan aplikasi <em>chatting</em> karena dapat menentukan tingkat keamanan aplikasi yang tentunya akan berdampak pada kepercayaan pengguna. Namun, pengembangan fitur keamanan pada aplikasi yang beredar belum semua didasarkan pada suatu spesifikasi kebutuhan keamanan yang jelas. Misanya, aplikasi Mxit dan QQ Mobile tidak memenuhi satu pun dari tujuh kategori keamanan untuk <em>secure chat</em> yang dikeluarkan oleh Electronic Frontiers Foundtaion (EFF). Bahkan, Yahoo! Messenger belum menerapkan disain keamanan yang baik, misalnya kita tidak dapat memverifikasi identitas kontak kita. Selain itu, Yahoo! Messenger tidak menerapkan <em>perfect forward secrecy</em>. Artinya, fitur keamanan pada beberapa aplikasi<em> chat</em> dikembangkan tidak berdasarkan pada rancangan spesifikasi keamanan. Pada penelitian ini, dilakukan perancangan spesifikasi keamanan untuk pengembangan aplikasi <em>secure chat</em> dengan mengacu pada <em>Common Criteria for IT Security Evaluation Version 3.1:2017</em>. Pada hasil rancangan tersebut, telah ditentukan 28 famili dari 7 kelas <em>Secure Functional Requirement</em> (SFR) yang harus dipenuhi dalam pengembangan aplikasi secure chat. Hasil rancangan telah divalidasi dengan metode <em>expert judgment</em>.</p><p class="Abstrak"><em><strong>Abstract</strong></em></p><p class="Abstrak"><em>Security specifications are very important for chat application development because they can determine the level of its security which, of course, will have an impact on user trust. However, the development of outstanding application security features is not all based on a clear security requirement specification. For example, the Mxit and QQ Mobile applications do not meet any of the seven security categories for secure chat issued by the Electronic Frontier Foundation (EFF). In fact, Yahoo! Messenger has not implemented a good security design, for example, we cannot verify the identity of our contacts and do not apply perfect forward secrecy. This means that security features in some chat applications are developed not based on security specification designs. In this study, the design of security specifications for secure chat application development was carried out by referring to the Common Criteria for IT Security Evaluation Version 3.1: 2017. In the design results, 28 families of 7 classes of Secure Functional Requirements (SFR) have been determined that must be met in the development of secure chat applications. The design result has been validated using expert judgment method.</em></p>

A puncturable attribute-based data sharing scheme for the Internet of Medical Robotic Things

PurposeIn line with the fast development of information technology, the Internet of Medical Robotic Things (IoMRT) is gaining more ground in health care. Sharing patients' information effectively and securely can improve sensing data usage and confidentiality. Nevertheless, current IoMRT data sharing schemes are lacking in terms of supporting efficient forward secrecy; when secret key for a robotic nurse as a data requester is compromised, all the historically shared data with this robotic nurse will be leaked.Design/methodology/approachThe presented paper suggests an efficient puncturable attribute-based data sharing scheme enabling guaranteed firm security and versatile access control over health sensing data in IoMRT. This scheme integrates attribute-based and puncturable encryption to avail a shared secret key for data sharing that can be encrypted by an access structure over the Data Requester (DR) attributes. Additionally, the establishment of the shared key and the mutual authentication is simultaneously done between the cloud servers and DRs.FindingsThe proposed scheme can achieve forward secrecy by adopting the bloom filter technique that efficiently helps the updating of a private key with no need for the key distributor to reissue the key. The security proof illustrates that this scheme adheres to the security model. Besides, the performance evaluation expresses the feasibility of the suggested scheme.Originality/valueThe main goal of designing a puncture algorithm is to devise an updated key from the ciphertext and a secret key, allowing the decryption of all ciphertexts except the one that has been punctured on. This research illustrates the first effort to develop a puncturable attribute-based encryption scheme to achieve efficient finegrained data sharing in IoMRT.

Dynamic Public Key Certificates with Forward Secrecy

Conventionally, public key certificates bind one subject with one static public key so that the subject can facilitate the services of the public key infrastructure (PKI). In PKI, certificates need to be renewed (or revoked) for several practical reasons, including certificate expiration, private key breaches, condition changes, and possible risk reduction. The certificate renewal process is very costly, especially for those environments where online authorities are not available or the connection is not reliable. A dynamic public key certificate (DPKC) facilitates the dynamic changeover of the current public–private key pairs without renewing the certificate authority (CA). This paper extends the previous study in several aspects: (1) we formally define the DPKC; (2) we formally define the security properties; (3) we propose another implementation of the Krawczyk–Rabin chameleon-hash-based DPKC; (4) we propose two variants of DPKC, using the Ateniese–Medeiros key-exposure-free chameleon hash; (5) we detail two application scenarios.

New Secure and Practical E-Mail Protocol with Perfect Forward Secrecy

The invention of electronic mail (e-mail) has made communication through the Internet easier than before. However, because the fundamental functions of the Internet are built on opensource technologies, it is critical to keep all transmitted e-mail secure and secret. Most current e-mail protocols only allow recipients to check their e-mail after the recipients are authenticated by the e-mail server. Unfortunately, the subsequent e-mail transmission from the server to the recipient remains unprotected in the clear form without encryption. Sometimes, this is not allowed, especially in consideration of issues such as confidentiality and integrity. In this paper, we propose a secure and practical e-mail protocol with perfect forward secrecy, as well as a high security level, in which the session keys used to encrypt the last e-mail will not be disclosed even if the long-term secret key is compromised for any possible reason. Thus, the proposed scheme benefits from the following advantages: (1) providing mutual authentication to remove the threat of not only impersonation attacks, but also spam; (2) guaranteeing confidentiality and integrity while providing the service of perfect forward secrecy; (3) simplifying key management by avoiding the expense of public key infrastructure involvement; and (4) achieving lower computational cost while meeting security criteria compared to the related works. The security analysis and the discussion demonstrate that the proposed scheme works well.

Revisiting a Multifactor Authentication Scheme in Industrial IoT

Nowadays, as one of the key applications of Internet of Things, Industry IoT (IIoT) has recently received significant attention and has facilitated our life. In IIoT environments, an amount of data generally requires to be transmitted between the user and sensing devices in an open channel. In order to ensure safe transmission of these data, it is necessary for the user and sensing devices to authenticate each other and establish a secure channel between them. Recently, a multifactor authenticated key agreement scheme for IIoT was proposed, which aims to tackle this problem and provide solutions for user multiple sensing devices’ access. This work claims that the proposed scheme is secure against vario us attacks and has less communication and computational costs than other existing related schemes. Unfortunately, we find that this scheme cannot resist smart card attack and sensing device capture attack. Furthermore, we show that this scheme fails to provide forward secrecy, which is essential for a secure multifactor authentication scheme.

An Efficient Mechanism to Prevent the Phishing Attacks

In the era of modern trends such as cloud computing, social media applications, emails, mobile applications, and URLs that lead to increased risks for defrauding authorized users, and then the attackers try to gain illegal access to accounts of users through a malicious attack. The phishing attack is one of the dangerous attacks caused to access of authorized account illegally way. The finances, business, banking, and other sensitive in states are faces by this type of attacks due to the important information they have. In this paper, we propose a secure verification scheme that can overcome the above-mentioned issues. Additionally, the proposed scheme can resist famous cyberattacks such as impersonate attacks, MITM attacks. Moreover, the proposed scheme has security features like strong verification, forward secrecy, user’s identity anomaly. The security analysis and the experimental results proved the strongest of the proposed scheme compared with other related works. Finally, our proposed scheme balanced between the performance and the security merits.

A Lightweight Three-Factor Anonymous Authentication Scheme With Privacy Protection for Personalized Healthcare Applications

Security and privacy issues in wireless medical sensor networks (WMSNs) have attracted lots of attention in both academia and industry due to the sensitiveness of medical system. In the past decade, extensive research has been carried out on these security issues, but no single study exists that addresses them adequately, especially for some important security properties, such as user anonymity and forward secrecy. As a step towards this direction, in this paper, the authors propose a lightweight three-factor anonymous authentication scheme with forward secrecy for personalized healthcare applications using only the lightweight cryptographic primitives. The proposed scheme adopts pseudonym identity technique to protect users' real identities and employs one-way hash chain technique to ensure forward secrecy. Analysis and comparison results demonstrate that the proposed scheme can not only reduce execution time by 34% as compared with the most effective related schemes, but also achieve more security and functional features.

An Improved and Privacy-Preserving Mutual Authentication Scheme with Forward Secrecy in VANETs

Vehicular ad hoc network (VANETs) plays a major part in intelligent transportation to enhance traffic efficiency and safety. Security and privacy are the essential matters needed to be tackled due to the open communication channel. Most of the existing schemes only provide message authentication without identity authentication, especially the inability to support forward secrecy which is a major security goal of authentication schemes. In this article, we propose a privacy-preserving mutual authentication scheme with batch verification for VANETs which support both message authentication and identity authentication. More importantly, the proposed scheme achieves forward secrecy, which means the exposure of the shared key will not compromise the previous interaction. The security proof shows that our scheme can withstand various known security attacks, such as the impersonation attack and forgery attack. The experiment analysis results based on communication and computation cost demonstrate that our scheme is more efficient compared with the related schemes.