Saudi Cultural Missions Theses & Dissertations

Permanent URI for this communityhttps://drepo.sdl.edu.sa/handle/20.500.14154/10

Browse

Has files: YesSubject: search.filters.subject.Authentication

Search Results

Now showing 1 - 7 of 7
  • No Thumbnail Available
    ItemRestricted
    A PUF-based Keyless Authentication Paradigm for Secure IoT Systems
    (University of Louisiana at Lafayette, 2024) Alahmadi, Sara; Bayoumi, Magdy
    The Internet of Things (IoT) drives innovation at individual and industrial scales, introducing massive interconnecting devices with varying security requirements. Authenticating these devices has emerged as a critical challenge, especially for constrained devices. In this context, Physically Unclonable Functions (PUFs) have gained popularity as promising hardware security primitives that offer lightweight and efficient solutions. Despite PUFs’ potential, they are susceptible to modeling attacks, leading researchers to explore new design approaches to increase their resiliency. This research addresses these challenges by developing different Arbiter PUF (APUF) solutions applicable to various applications from constrained devices to those requiring high security and post-quantum protection. First, a taxonomy of consumer IoT ( CIoT) and industrial IoT (IIoT) was presented to identify their distinguishing aspects. Addressing IoT security effectively requires considering the specific needs of different types of IoT applications, mainly consumer and industrial IoT. Second, a detailed analysis of APUF-based designs was conducted, measuring each design’s security scalability. This work evaluates the area and security of studied designs and defines an efficiency metric as security gain per area. Therefore, it showcases how the security of each of the studied design approaches scales in terms of area versus security, providing a guideline and insight for developers and for future improvement. Third, obfuscating techniques were introduced to secure APUF against modeling attacks. The methods implement transformation functions to obscure and safeguard the responses from modeling attacks. The first technique incorporates weak PUFs to fortify strong PUFs. The second technique encodes the challenges into constant weight vectors before generating the response. In addition, Dynamic Feedforward PUF was introduced to enhance the original Feedforward PUF. The method has two levels of configuration and incorporates randomness in the response generation process. Finally, a post-quantum PUF-driven authentication and message exchange framework (McPQ-PUF) was developed. This hybrid authentication and secret message exchange scheme utilizes two security primitives: APUF and McEliece, a post-quantum resilient Public Key Encryption (PKE). The McPQ-PUF framework is resilient against modeling and quantum attacks. This dissertation’s contribution should facilitate PUF-based authentication in an IoT environment. It provides secure and efficient solutions that address IoT ecosystems’ diverse security needs.
    9 0
  • Thumbnail Image
    ItemRestricted
    Usability and security of recognition-based textual password
    (Iowa State University, 2024-07-16) Wasfi, Hassan; Stone, Richard
    Knowledge-based passwords are still the most dominant authentication technique for authentications purposes, in spite of the emergence of alternative systems such as token-based and biometric systems. This approach has remained the most popular one mostly because of its user familiarity, compatibility, usability, affordability. Nevertheless, the main challenge of knowledge-based password schemes based on creating passwords that deliver a balance between usability and security. This dissertation will be focused on the recent researches related to textual and graphical password to have an overview of their usability and security features and drawbacks. The literature review of this dissertation studied the main challenges of textual password schemes (text-based, passphrase, mnemonic, pronounceable, persuasive-text passwords). These schemes have several issues such as memorization, password complexity, password resets, input errors, password reuse and strength against guessing attack. On the other hand, graphical password schemes (recognition, recall, and hybrid passwords) improve the memorability compared to textual password because user experience with interacting with images result in better memorability rate. Graphical passwords have their own issues which are require a huge storage space(costly), complex setup and enrollment, long time to log in, limited password space, and vulnerability to shoulder surfing attack. After a deep investigation done in the literature review, this dissertation will have a thoughtful examination related the major features and drawbacks of recognition-based textual passwords because it provides the usability and security benefits of graphical passwords with the familiarity of textual passwords. Also, this dissertation studied the recognition textual password and its types to have a clear vision to build a usable and secure authentication system. This approach is categorized into two main aspects user and system generated method. Previous researches deeply studied the system-generated recognition textual password for both nouns and passphrase in term of avoiding weak users’ choices of password creation however, researchers found that users had difficulty in memorization in long term memory. On the other hand, user chosen recognition textual password provides high memorability rate compared to system generated but it’s not secure enough because users tend to select predictable words. This dissertation will be focused on user chosen recognition textual password. Third chapter showed a study compares the usability of recognition and recall textual password for nouns and passphrase to distinguish the user’s behaviors of password creation, system design, wordlist, memorability rate, and login time. The study discovered that recognition textual password of passphrase has higher memorability rate compared to recognition nouns, recall nouns and recall passphrase because some users select their password in unmeaningful structure. Also, the login time for recognition passphrase is less than others conditions. The wordlist and system design play an important role storing and retrieving performance. Overall, this result will help to establish a new method that avoiding these issues. Previous studies have not built a recognition textual password method with a high entropy space, and mitigating common attacks. Moreover, enhancing the system design by considering word types, word presentation, and phycological stimulus. These factors can influence the users’ performance in the storing and retrieving processes. Therefore, a novel authentication method called Word Pattern Recognition Textual Password (WPRTP) was proposed, which is based on drawing a pattern on a grid with a specific security requirement to balance between usability and security. This work aims to compare WPRTP with a recall textual password to explore its potential for enhancing user experience, usability, and security. The WPRTP results indicating that it is significantly more memorable in long-term memory (over a three-week period), and required less time to register compared to a recall passphrase. Thus, WPRTP is a potential alternative to traditional textual password.
    25 0
  • Thumbnail Image
    ItemRestricted
    UNDERSTANDING AND MITIGATING THE THREATS OF THERMAL IMAGING ON SECURITY
    (University of Glasgow, 2024-06-25) Alotaibi, Norah Mohsen T; Khamis, Mohamed; Williamson, John
    The evolution of thermal cameras from exclusive, prohibitively expensive technology to compact, economically accessible consumer products has paved the way for their potential widespread adoption in personal gadgets such as smartphones, wearables, and displays. However, this accessibility raises significant security concerns, as it can be exploited for malicious uses, such as thermal attacks. In a thermal attack, an attacker captures a thermal image of a user interface, like a keyboard or touchscreen, to reveal thermal traces left by the user's touch. These attacks can be performed without any overt action taken by the attacker, as heat traces persist for up to 60 seconds after the user has interacted and left the device unattended. Attackers can then analyze the captured image either through visual means or via advanced techniques such as image processing to reconstruct sensitive inputs made by the user, including passwords and other confidential information. Recognizing this threat, this thesis investigates the feasibility of thermal attacks when advanced methods of thermal image analysis are employed and explores mitigation methods against thermal attacks. Six studies were conducted, with the first two examining the feasibility of thermal attacks on common computer keyboards. ThermoSecure, a Deep Learning (DL) system that analyzes thermal images to estimate user input, was introduced, alongside the first publicly available dataset of 1500 thermal images of keyboards. Results from these studies highlighted that AI-driven thermal attacks are more effective. Success varied based on factors, including input-related ones like password length and user typing behavior, and interface-related ones such as keycap material and thermal conductivity. These findings underscored the pressing need for mitigation methods against thermal attacks, leading to the third study, which investigated user perceptions of privacy in relation to thermal cameras, their understanding of thermal attacks, and their preferences for mitigation methods. Previous research proposed several user-centric mitigation methods, yet the results from this study emphasized the need for holistic approaches requiring minimal user involvement. Users expressed openness towards using thermal cameras in daily life but also exhibited privacy and security concerns, largely due to unawareness of thermal attacks and mitigation strategies. With that in mind, Two camera-centric mitigations were introduced and evaluated: four distinct obfuscations (Mitigation 1) and a GANs-based mitigation (ThermoGANs) (Mitigation 2), both of which proved effective against thermal attacks. The results emphasized user preference for mitigation methods that require minimal involvement, even at the potential cost of utility. This thesis underscores the need for holistic strategies that not only prevent camera misuse but also minimize utility impact. The final study explores such a method, investigating input-based induced noise that ensures ineffective heat traces for password reconstruction, both in terms of identifying used keys and the sequence of presses. This research contributes a novel understanding of thermal attack feasibility, user perceptions, and mitigation techniques, providing a foundation for future security measures against thermal attacks.
    33 0
  • Thumbnail Image
    ItemRestricted
    A Cognimetric Authentication Tool (CAT): Temporal Analysis of Touch Dynamics
    (University of Sussex, 2024) Alwhibi, Munirah; Cheng, Peter
    Much research in touch biometric authentication is grounded in a pragmatic, data-driven methodology, involving the collection and analysis of touch data to train machine learning models. In contrast, this research explores the integration of established theories of human cognition and interactive behaviour to inform the design of a Cognimetric Authentication Tool (CAT). In the field of cognitive science, time related measures are widely used to differentiate individuals during task performance. This investigation analyses two temporal measures of swipe and scroll interactions: touch durations (touch) and durations between touches (gap). An existing dataset, comprising interactions from 41 participants engaged in two realistic and cognitively demanding tasks—reading Wikipedia articles (read) and comparing image pairs (compare)—is utilised. The goal of this research is to develop methods for capturing, modelling and comparing participant behaviours for potential authentication applications. It adopts histograms to model and compare temporal behaviours based on the shapes of frequency distributions of each measure within each task. The metric Absolute Distribution Difference (ADD) is introduced by this research to quantify the consistency of temporal behaviour within participants and its distinctiveness across participants. The analysis reveals that intra-participant variations (inconsistency) are overshadowed by inter-participant differences (distinctiveness), which is necessary for authentication. However, the intricate relationship between them emphasises a trade-off; neither is independently sufficient for authentication. Trained only on genuine user’s behaviour, CAT drops error rates to around 10% for a single measure and halving to 5% when combining two measures. To accomplish this, CAT utilises 4 user profiles per participant, tailored to each measure and task, and consisting of the average behaviour of a participant and their personal inconsistency thresholds. This multi-level personalisation approach can compensate for the natural variability and context-dependent nature of human behaviour, and it extends to the fusion functions. Through the research, two sampling techniques are employed: initially, using the entire document as a sample, and subsequently, adopting action-based sampling (a conventional technique). In their current state, both sampling techniques are eligible for delayed authentication, as second factor authentication. Similarly, two fusion methods are employed: measures are combined within the same tasks (a conventional technique), and across tasks, providing complementing aspects of task-specific behaviours. Both sampling and fusion techniques prove effective particularly in relation to the previous research conducted with this dataset.
    12 0
  • Thumbnail Image
    ItemRestricted
    Supporting Secure and Privacy-Preserving Interactions in Intelligent Transportation Systems
    (University of Maryland, Baltimore County, 2024) Alshaeri, Abdulaziz; Younis, Mohamed
    Intelligent Transportation Systems (ITS) leverage the advancement in sensors and RF technologies to enable communication between various traffic players, such as vehicles, pedestrians, traffic infrastructure and IoT devices, and support informed decision-making. Indeed, ITS are expected to revolutionize mobility in smart cities and provide increased safety, efficiency, and comfort. Yet, these advantages need to be combined with resilience to cyberattacks. First, with the realization of the Internet of Vehicles (IoV), vehicles become directly connected to the internet which poses a threat to the in-vehicle network. Second, in some ITS applications, messages are transmitted in plaintexts due to the necessity of a very low latency. With the limited resources of the ITS players and the strict performance and latency requirements, computationally expensive techniques, such as asymmetric cryptography, are not well-suited. In addition, the high frequency of message broadcasts makes the ITS susceptible to trajectory tracking attacks and consequently violates the privacy of the vehicle occupants. Meanwhile, preserving privacy while ensuring non-repudiation is another challenge where accountability is needed to support liability and forensics. Most existing approaches rely significantly on a central authority and a pervasive deployment of roadside infrastructure which makes ITS not economically viable. This dissertation addresses the aforementioned challenges. First, a distributed protocol is presented to enable continual mutual authentication and establishment of session keys. Such protocol leverages hardware-based security primitives that can be used as fingerprints for ITS nodes; it employs a novel obfuscation technique that safeguards against disclosure and prediction of the node fingerprint. Second, an authentication protocol is proposed to safeguard against unauthorized remote access to the in-vehicle network. Third, a distributed scheme is devised for cost-efficient and privacy-aware authentication in vehicular communication networks using mobile devices; the proposed scheme promotes a novel delegated message verification methodology that minimizes the overhead and scales for large setups. Fourth, the dissertation addresses the ultra-low latency requirements in dynamic contactless charging of Electric Vehicles (EVs) and proposes a Blockchain-based energy trading scheme that ensures fast authentication between EVs and charging pads and sustains payment integrity by countering cloning and double-spending of charging tickets. Last, this dissertation investigates the challenge in changing pseudonyms to support privacy as pseudonyms are used to sustain the anonymity of ITS nodes. Then, a novel scheme is developed in which each node autonomously generates a single-use pseudonym for each message broadcast to counter trajectory tracking attacks in ITS. The security of the proposed techniques is verified using prominent tools. The simulation-based experiments demonstrate that the proposed techniques outperform competing approaches in the literature.
    35 0
  • Thumbnail Image
    ItemRestricted
    LIGHTWEIGHT MUTUAL AUTHENTICATION PROTOCOLS FOR IOT SYSTEMS
    (University of Maryland Baltimore County, 2024) Alkanhal, Mona; Younis, Mohamed
    The Internet of Things (IoT) refers to the large-scale internetworking of diverse devices, many of them with very limited computational resources. Given the ad-hoc formation of the network and dynamic membership of nodes, device authentication is critical to prevent malicious devices from joining the network and impersonating legitimate nodes. The most popular authentication strategy in the literature is to pursue asymmetric cryptography. Such a solution is costly in terms of computing resources and power consumption and thus is not suitable for IoT devices which are often resource constrained. Moreover, due to the autonomous nature of the IoT nodes, relying on an intermediary server to manage the authentication process induces overhead and consequently decreases the network efficacy. Thus, the authentication process should be geared for nodes that operate autonomously. This dissertation opts to fulfill the aforementioned requirements by developing a library of lightweight authentication protocols that caterers for variant IoT applications. We consider a hardware-based security primitive, namely Physical Unclonable Functions (PUFs). A PUF benefits from the random and uncontrollable variations experienced during the manufacturing of integrated circuits in constructing a device signature that uniquely maps input bits, referred to as challenge, into an output bit(s) that reflects the PUF response. A fundamental issue with distributed authentication using PUFs is that the challenge-response exchange is among IoT nodes rather than the secure server and hence becomes subject to increased vulnerability to attacks. Particularly, eavesdroppers could intercept the inter-node interactions to collect sufficient challenge-response pairs (CRPs) for modeling the underlying PUF using machine learning (ML) techniques. Obfuscating the challenge and response through encryption is not practical since it requires network-wide management of secret keys and diminishes the advantages of PUFs. The dissertation tackles the aforementioned challenges. We first develop a novel authentication mechanism that is based on the incorporation of a PUF in each device. Our mechanism enables the challenge bit string intended by a verifier δy to be inferred by a prover δx rather than being explicitly sent. The proposed mechanism also obfuscates the shared information to safeguard it from eavesdroppers who strive to model the underlying PUF using machine learning techniques. Secondly, we further combine the advantage of PUFs, and the agility and configurability of physical-layer communication mechanisms, specifically the Multi-Input Multi Output (MIMO) method. We devise a protocol that utilizes an innovative method to counter attackers who might intercept the communication between δy and δx and uncover a set of CRPs to model δx’s PUF. Our protocol encodes the challenge bit using MIMO antennas array in a manner that is controlled by the verifier and that varies overtime. Additionally, we derive a two-factors authentication protocol by associating a Radio Frequency (RF) fingerprint with PUF. Such a unique combination obviates the need for traditional identification methods that rely on key storage for authentication. This identification mechanism enables the protocol to obfuscate the PUF response, circumventing the need for the incorporation of cryptographic primitives. Since both the PUF and the RF-fingerprint are based on unintended variations caused by manufacturing, we aim to increase robustness and mitigate the potential effect of noise by applying the fuzzy extractor. Such a protocol does not retain CRPs of a node during the enrollment phase, nor does it incorporate a cryptosystem. All the aforementioned techniques enable mutual authentication of two devices without the involvement of a trusted third party. The experimental results demonstrate the efficacy of the proposed protocols against modeling attacks and impersonation attempts.
    15 0
  • Thumbnail Image
    ItemRestricted
    Lightweight Cryptographic Mechanisms for Internet of Things and Embedded Systems
    (2023-03) Bin Rabiah, Abdulrahman; Abu-Ghazaleh, Nael; Richelson, Silas
    Today, IoT devices such as health monitors and surveillance cameras are widespread. As the industry matures, IoT systems are becoming pervasive. This revolution necessitates further research in network security, as IoT systems impose constraints on network design due to the use of lightweight, computationally weak devices with limited power and network connectivity being used for varying and unique applications. Thus, specialized secure protocols which can tolerate these constraints are needed. This dissertation examines three problems in the constrained IoT setting: 1) Key exchange, 2) Authentication and 3) Key management. First, IoT devices often gather critical information that needs to be communicated in a secure manner. Authentication and secure communication in an IoT environment can be difficult because of constraints, in computing power, memory, energy and network connectivity. For secure communication with the rest of the network, an IoT device needs to trust the gateway through which it communicates, often over a wireless link. An IoT device needs a way of authenticating the gateway and vice-versa, to set up that secure channel. We introduce a lightweight authentication and key exchange system for IoT environments that is tailored to handle the IoT-imposed constraints. In our system, the gateway and IoT device communicate over an encrypted channel that uses a shared symmetric session key which changes periodically (every session) in order to ensure perfect forward secrecy. We combine both symmetric-key and public-key cryptography based authentication and key exchange, thus reducing the overhead of manual configuration. We study our proposed system, called Haiku, where keys are never exchanged over the network. We show that Haiku is lightweight and provides authentication, key exchange, confidentiality, and message integrity. Haiku does not need to contact a Trusted Third Party (TTP), works in disconnected IoT environments, provides perfect forward secrecy, and is efficient in compute, memory and energy usage. Haiku achieves 5x faster key exchange and at least 10x energy consumption reductions. Second, signature-based authentication is a core cryptographic primitive essential for most secure networking protocols. We introduce a new signature scheme, MSS, that allows a client to efficiently authenticate herself to a server. We model our new scheme in an offline/online model where client online time is premium. The offline component derives basis signatures that are then composed based on the data being signed to provide signatures efficiently and securely during run-time. MSS requires the server to maintain state and is suitable for applications where a device has long-term associations with the server. MSS allows direct comparison to hash chain-based authentication schemes used in similar settings, and is relevant to resource-constrained devices e.g., IoT. We derive MSS instantiations for two cryptographic families, assuming the hardness of RSA and decisional Diffie-Hellman (DDH) respectively, demonstrating the generality of the idea. We then use our new scheme to design an efficient time-based one-time password (TOTP) system. Specifically, we implement two TOTP authentication systems from our RSA and DDH instantiations. We evaluate the TOTP implementations on Raspberry Pis which demonstrate appealing gains: MSS reduces authentication latency and energy consumption by a factor of ∼82 and 792, respectively, compared to a recent hash chain-based TOTP system. Finally, we examine an important sub-component of the massive IoT technology, namely connected vehicles (CV)/Internet of Vehicles (IoV). In the US alone, the US department of transportation approximates the number of vehicles to be around 350 million. Connected vehicles is an emerging technology, which has the potential to improve the safety and efficiency of the transportation system. To maintain the security and privacy of CVs, all vehicle-to-vehicle (V2V) communications are typically established on top of pseudonym certificates (PCs) which are maintained by a vehicular public key infrastructure (VPKI). However, the state-of-the-art VPKIs (including SCMS; the US VPKI standard for CV) often overlooked the reliability constraint of wireless networks (which eventually degrades the VPKI security) that exists in high-mobility environments such as CV networks. This constraint stems from the short coverage time between an on-board unit (OBU) inside a fast moving vehicle and a stationary road-side unit (RSU). In this work, we present TVSS, a novel VPKI design that pushes critical VPKI operations to the edge of the network; the RSU, while maintaining all security and privacy assumptions in the state-of-the-art VPKIs. Our real-life testbed shows a reduced PC generation latency by 28.5x compared to recent VPKIs. Furthermore, our novel local pseudonym certificate revocation lists (PCRLs) achieves 13x reduction in total communication overhead for downloading them compared to delta PCRLs.
    32 0

Copyright owned by the Saudi Digital Library (SDL) © 2025