Search Results (128)

Telemedicine diagnosis has become a more flexible and convenient way to receive diagnoses, which is of great significance in enhancing diagnosis, cutting costs, and serving remote users. However, telemedicine faces many security problems, such as the complexity of user authentication, the balance of the existing biometric factor authentication scheme, the unpredictability of user behavior, and the difficulty of unified authentication due to the differences in the security standards and authentication mechanisms of different trust domains, which affect the sustainable development of telemedicine. To address the above issues, this paper presents an identity management scheme based on multi-factor authentication and dynamic trust evaluation for telemedicine. Its authentication combines iris recognition for secure biometric verification, smart cards for encrypted credential storage, and static passwords for supplementary verification, addressing scenarios like facial coverage in medical settings. The scheme dynamically adjusts authentication based on attack rates, login anomalies, and service durations. By integrating ShangMi cryptographic algorithms and blockchain, it optimizes performance, achieving 35% lower communication overhead than previous protocols. A security analysis shows it resists impersonation, man-in-the-middle, and password modification attacks while preserving user anonymity. System evaluation meets authoritative standards, validating its practicality. This scheme balances security and efficiency, providing a strong basis for telemedicine’s long-term viability. Full article

Internet of Things (IoT) user authentication protocols enable secure authentication and session key negotiation between users and IoT devices via an intermediate server, allowing users to access sensor data or control devices remotely. However, the existing IoT user authentication schemes often assume that the servers (registration center and intermediate servers) are fully trusted, overlooking the potential risk of insider attackers. Moreover, most of the existing schemes lack critical security properties, such as resistance to ephemeral secret leakage attacks and offline password guessing attacks, and they are unable to provide perfect forward security. Furthermore, with the rapid growth regarding IoT devices, the servers must manage a large number of users and device connections, making the performance of the authentication scheme heavily reliant on the server’s computational capacity, thereby impacting the system’s scalability and efficiency. The design of security protocols is based on the underlying security model, and the current IoT user authentication models fail to cover crucial threats like insider attacks and ephemeral secret leakage. To overcome these limitations, we propose a new security model, IoT-3eCK, which assumes semi-trusted servers and strengthens the adversary model to better meet the IoT authentication requirements. Based on this model, we design an efficient protocol that ensures user passwords, biometric data, and long-term keys are protected from insider users during registration, mitigating insider attacks. The protocol also integrates dynamic pseudo-identity anonymous authentication and ECC key exchange to satisfy the security properties. The performance analysis shows that, compared to the existing schemes, the new protocol reduces the communication costs by over 23% and the computational overhead by more than 22%, with a particularly significant reduction of over 95% in the computational overhead at the intermediate server. Furthermore, the security of the protocol is rigorously demonstrated using the random oracle model and verified with automated tools, further confirming its security and reliability. Full article

Over recent decades, internet-based communication has grown exponentially, accompanied by a surge in cyber threats from malicious actors targeting users and organizations, heightening the demand for robust security and privacy measures. With the emergence of physical–digital environments based on Mixed Reality (MR) and the Metaverse, new cybersecurity, privacy, and confidentiality challenges have surfaced, requiring innovative approaches. This work examines the current landscape of cybersecurity concerns in MR and Metaverse environments, focusing on their unique vulnerabilities and the risks posed to users and their data. Key challenges include authentication issues, data breaches, and risks to user anonymity. The work also explores advancements in secure design frameworks, encryption techniques, and regulatory approaches to safeguard these technologies. Additionally, it identifies opportunities for further research and innovation to strengthen data protection and ensure a safe, trustworthy experience in these environments. Full article

The rapidly growing number of electric vehicles and the large-scale user privacy management in smart grids have led to a symmetrical phenomenon. While decentralized identifiers (DIDs) offer a promising solution for users to better control their private data, the frequent interactions between vehicles and the grid require a vast number of identities. Existing methods, while focusing on efficiency, often neglect privacy protection, especially in Vehicle-to-Grid (V2G) scenarios. They also overlook fundamental features such as resistance to Sybil attacks and the ability to supervise malicious identities, which may seem contradictory to privacy protection. In this paper, we propose an identity authentication scheme based on decentralized identifiers (DIDs) that allow massive numbers of electric vehicle users to autonomously control the disclosure of their information. We also introduce a mechanism that simultaneously protects privacy while resisting Sybil attacks and strengthening privacy in V2G scenarios. Furthermore, our scheme enables anonymity while maintaining supervisory capabilities. Experimental results and formal proofs demonstrate that the proposed scheme performs well in terms of authentication efficiency and security, making it suitable for large-scale V2G deployments. Full article

The Internet of Drones (IoD) is an emerging industry that offers convenient services for humans due to the high mobility and flexibility of drones. The IoD substantially enhances human life by enabling diverse drone applications across various domains. However, a malicious adversary can attempt security attacks because communication within an IoD environment is conducted through public channels and because drones are vulnerable to physical attacks. In 2023, Sharma et al. proposed a physical unclonable function (PUF)-based authentication and key agreement (AKA) scheme for the IoD. Regrettably, we discover that their scheme cannot prevent impersonation, stolen verifier, and ephemeral secret leakage (ESL) attacks. Moreover, Sharma et al.’s scheme cannot preserve user untraceability and anonymity. In this paper, we propose a secure and lightweight AKA scheme which addresses the shortcomings of Sharma et al.’s scheme. The proposed scheme has resistance against diverse security attacks, including physical capture attacks on drones, by leveraging a PUF. Furthermore, we utilize lightweight operations such as hash function and XOR operation to accommodate the computational constraints of drones. The security of the proposed scheme is rigorously verified, utilizing “Burrows–Abadi–Needham (BAN) logic”, “Real-or-Random (ROR) model”, “Automated Validation of Internet Security Protocols and Application (AVISPA)”, and informal analysis. Additionally, we compare the security properties, computational cost, communication cost, and energy consumption of the proposed scheme with other related works to evaluate performance. As a result, we determine that our scheme is efficient and well suited for the IoD. Full article

A group signature scheme allows a user to sign a message anonymously on behalf of a group and provides accountability by using an opening authority who can “open” a signature and reveal the signer’s identity. Group signature schemes have been widely used in privacy-preserving applications, including anonymous attestation and anonymous authentication. Fully dynamic group signature schemes allow new members to join the group and existing members to be revoked if needed. Symmetric-key based group signature schemes are post-quantum group signatures whose security rely on the security of symmetric-key primitives, and cryptographic hash functions. In this paper, we design a symmetric-key based fully dynamic group signature scheme, called DGMT, that redesigns DGM (Buser et al. ESORICS 2019) and removes its two important shortcomings that limit its application in practice: (i) interaction with the group manager for signature verification, and (ii) the need for storing and managing an unacceptably large amount of data by the group manager. We prove security of DGMT (unforgeability, anonymity, and traceability) and give a full implementation of the system. Compared to all known post-quantum group signature schemes with the same security level, DGMT has the shortest signature size. We also analyze DGM signature revocation approach and show that despite its conceptual novelty, it has significant hidden costs that makes it much more costly than using the traditional revocation list approach. Full article

IoT-based applications require effective anonymous authentication and key agreement (AKA) protocols to secure data and protect user privacy due to open communication channels and sensitive data. While AKA protocols for these applications have been extensively studied, achieving anonymity remains a challenge. AKA schemes using one-time pseudonyms face resynchronization issues after desynchronization attacks, and the high computational overhead of bilinear pairing and public key encryption limits its applicability. Existing schemes also lack essential security features, causing issues such as vulnerability to ephemeral secret leakage attacks and key compromise impersonation. To address these issues, we propose two novel AKA schemes, PUAKA and RCAKA, designed for different IoT traffic patterns. PUAKA improves end device anonymity in the periodic update pattern by updating one-time pseudonyms with authenticated session keys. RCAKA, for the remote control pattern, ensures anonymity while reducing communication and computation costs using shared signatures and temporary random numbers. A key contribution of RCAKA is its ability to resynchronize end devices with incomplete data in the periodic update pattern, supporting continued authentication. Both protocols’ security is proven under the Real-or-Random model. The performance comparison results show that the proposed protocols exceed existing solutions in security features and communication costs while reducing computational overhead by 32% to 50%. Full article

Medical Internet of Things (IoT) systems can be used to monitor and treat patient health conditions. Security and privacy issues in medical IoT services are more important than those in any other IoT-enabled service. Therefore, various mutual authentication and key-distribution schemes have been proposed for secure communication in medical IoT services. We analyzed Hu et al.’s scheme and found that an attacker can impersonate legitimate sensor nodes and generate illegitimate session keys using the information stored in the sensor node and the information transmitted over the public channel. To overcome these vulnerabilities, we propose a scheme that utilizes physically unclonable functions to ensure a secure session key distribution and increase the computational efficiency of resource-limited sensor nodes. In addition, the proposed scheme enhances privacy protection using pseudonyms, which we prove using a formal security analysis tool, ProVerif 2.05. Full article

Anonymous credential (AC) systems are privacy-preserving authentication mech-anisms that allow users to prove that they have valid credentials anonymously. These systems provide a powerful tool for several practical applications, such as anonymous pay-ment systems in e-commerce, preserving robust privacy protection for users. Most existing AC systems are constructed using traditional number-theoretic approaches, making them insecure under quantum attacks. With four decades of research in anonymous credential systems, there is a need for a comprehensive review that identifies the design structures of AC systems, organizes the research trends, and highlights unaddressed gaps for the future development of AC, especially bringing AC to post-quantum cryptography. This work is a complete study describing AC systems, as well as their architecture, components, security, and performance. Additionally, real-world implementations of various applications are identified, analyzed, and compared according to the design structure. Lastly, the challenges hindering the shift toward the quantumly secure lattice-based AC designs are discussed. Full article

The cross-chain identity authentication method based on relay chains provides a promising solution to the issues brought by the centralized notary mechanism. Nonetheless, it continues to encounter numerous challenges regarding data privacy, security, and issues of heterogeneity. For example, there is a concern regarding the protection of identity information during the cross-chain authentication process, and the incompatibility of cryptographic components across different blockchains during cross-chain transactions. We design and propose a cross-chain identity privacy protection method based on relay chains to address these issues. In this method, the decentralized nature of relay chains ensures that the cross-chain authentication process is not subject to subjective manipulation, guaranteeing the authenticity and reliability of the data. Regarding the compatibility issue, we unify the user keys according to the identity manager organization, storing them on the relay chain and eliminating the need for users to configure identical key systems. Additionally, to comply with General Data Protection Regulation (GDPR) principles, we store the user keys from the relay chain in distributed servers using the InterPlanetary File System (IPFS). To address privacy concerns, we enable pseudonym updates based on the user’s public key during cross-chain transactions. This method ensures full compatibility while protecting user privacy. Moreover, we introduce Zero-Knowledge Proof (ZKP) technology, ensuring that audit nodes cannot trace the user’s identity information with malicious intent. Our method offers compatibility while ensuring unlinkability and anonymity through thorough security analysis. More importantly, comparative analysis and experimental results show that our proposed method achieves lower computational cost, reduced storage cost, lower latency, and higher throughput. Therefore, our method demonstrates superior security and performance in cross-chain privacy protection. Full article

The proliferation of the Internet of Things (IoT) has worsened the challenge of maintaining data and user privacy. IoT end devices, often deployed in unsupervised environments and connected to open networks, are susceptible to physical tampering and various other security attacks. Thus, robust, efficient authentication and key agreement (AKA) protocols are essential to protect data privacy during exchanges between end devices and servers. The previous work in “Provably Secure ECC-Based Anonymous Authentication and Key Agreement for IoT” proposed a novel AKA scheme for secure IoT environments. They claimed their protocol offers comprehensive security features, guarding against numerous potential flaws while achieving session key security. However, this paper demonstrates through logical and mathematical analyses that the previous work is vulnerable to various attacks. We conducted a security analysis using the extended Canetti and Krawczyk (eCK) model, which is widely employed in security evaluations. This model considers scenarios where an attacker has complete control over the network, including the ability to intercept, modify, and delete messages, while also accounting for the potential exposure of ephemeral private keys. Furthermore, we show that their scheme fails to meet critical security requirements and relies on flawed security assumptions. We prove our findings using the automated validation of internet security protocols and applications, a widely recognized formal verification tool. To strengthen attack resilience, we propose several recommendations for the advancement of more robust and efficient AKA protocols specifically designed for IoT environments. Full article

Extended Reality (XR), encompassing Augmented Reality (AR), Virtual Reality (VR), and Mixed Reality (MR), enables immersive experiences across various fields, including entertainment, healthcare, and education. However, its data-intensive and interactive nature introduces significant cybersecurity and privacy challenges. This paper presents a detailed adversary model to identify threat actors and attack vectors in XR environments. We analyze key risks, including identity theft and behavioral data leakage, which can lead to profiling, manipulation, or invasive targeted advertising. To mitigate these risks, we explore technical solutions such as Advanced Encryption Standard (AES), Rivest–Shamir–Adleman (RSA), and Elliptic Curve Cryptography (ECC) for secure data transmission, multi-factor and biometric authentication, data anonymization techniques, and AI-driven anomaly detection for real-time threat monitoring. A comparative benchmark evaluates these solutions’ practicality, strengths, and limitations in XR applications. The findings emphasize the need for a holistic approach, combining robust technical measures with privacy-centric policies, to secure XR ecosystems and ensure user trust. Full article

Permissioned blockchains are increasingly used in areas like supply chain management, financial transactions, and medical data sharing, where ensuring data consistency and security is critical. However, these systems are vulnerable to threats such as DDoS attacks, forged transactions, and certificate authority compromises, primarily due to inadequate network layer admission control. Existing solutions, like static whitelisting, struggle with scalability and adaptability in dynamic environments. This paper proposes a novel admission control mechanism based on identity-based cryptography, utilizing multi-level anonymous identifiers and decentralized private key generation to enhance user authentication and privacy. The mechanism dynamically updates whitelists and selectively filters network traffic, ensuring a balance between security and performance. Experimental results validate its effectiveness in mitigating key threats while maintaining operational efficiency. Full article

The smart grid (SG) is an efficient and reliable framework capable of controlling computers, automation, new technologies, and devices. Advanced metering infrastructure (AMI) is a crucial part of the SG, facilitating two-way communication between users and service providers (SPs). Computation, storage, and communication are extremely limited as the AMI’s device is typically deployed outdoors and connected to an open network. Therefore, an authentication and key agreement protocol is necessary to ensure the security and confidentiality of communications. Existing research still does not meet the anonymity, perfect forward secrecy, and resource-limited requirements of the SG environment. To address this issue, we advance a lightweight authentication and key agreement scheme based on elliptic curve cryptography (ECC). The security of the proposed protocol is rigorously proven under the random oracle model (ROM), and was verified by a ProVerif tool. Additionally, performance comparisons validate that the proposed protocol provides enhanced security features at the lowest computation and communication costs. Full article

As a hot technology trend, the federated learning (FL) cleverly combines data utilization and privacy protection by processing data locally on the client and only sharing model parameters with the server, embodying an efficient and secure collaborative learning model between clients and aggregated Servers. During the process of uploading parameters in FL models, there is susceptibility to unauthorized access threats, which can result in training data leakage. To ensure data security during transmission, the Authentication and Key Agreement (AKA) protocols are proposed to authenticate legitimate users and safeguard training data. However, existing AKA protocols for client–server (C/S) architecture show security deficiencies, such as lack of user anonymity and susceptibility to password guessing attacks. In this paper, we propose a robust 2FAKA-C/S protocol based on ECC and Hash-chain technology. Our security analysis shows that the proposed protocol ensures the session keys are semantically secure and can effectively resist various attacks. The performance analysis indicates that the proposed protocol achieves a total running time of 62.644 ms and requires only 800 bits of communication overhead, showing superior computational efficiency and lower communication costs compared to existing protocols. In conclusion, the proposed protocol securely protects the training parameters in a federated learning environment and provides a reliable guarantee for data transmission. Full article