LEE- Bilgi Güvenliği Mühendisliği ve Kriptografi-Doktora

Bu koleksiyon için kalıcı URI

http://hdl.handle.net/11527/19197

Gözat

Son Başvurular

Şimdi gösteriliyor 1 - 5 / 5
  • Öge
    Group authentication and key establishment scheme
    (Graduate School, 2024-09-03) Güzey, Sueda Rüveyda ; Özdemir, Enver ; 707192005 ; Cybersecurity Engineering and Cryptography
    The authentication phase serves as the foundational cornerstone for ensuring secure data tranmission and confidential communication. In the ever-expanding landscape of devices communicating with each other, espacially IoT, the conventional approach which is one-to-one authentication poses a significant challenge, burdening compu- tation and communication with a growing strain due to the escalating complexity of the environment. In other words, standard cryptographic algorithms—such as RSA, which relies on prime number factorization, and Diffie-Hellman Key Exchange, which is based on the hardness assumption of the discrete logarithm problem—have traditionally been used for authentication. However, these algorithms may not be suitable for resource-constrained devices, particularly in a dynamic and crowded environment. Group authentication schemes (GASs), representing a innovative approach to authentication. Group authentication involves verifying that a designated set of users are part of a specific group and, in case of need, subsequently distributing a shared key among them for confidential group communication. That is, GAS can authenticate many users simultaneously. The recently presented group authentication algorithms mainly exploit Lagrange polynomial interpolation along with elliptic curve groups over finite fields. These systems require collecting a specific number of legitimate users' private keys to complete the authentication phase. That is, the scheme requires each entity to acquire tokens from all other entities, making it impractical for large-scale environments. The need to secret sharing makes these algorithms vulnerable to disruption by a single malicious entity. Additionally, in the current algorithms based on polynomial interpolation the cost of authentication and key establishment also depends on the number of users, which poses a scalability challenge. Introducing a novel methodology, this study advocates the adoption of linear fields for group authentication and key generation, scalable to groups of varying sizes. Leveraging linear spaces minimizes the computational and communication burdens associated with establishing a shared key within the group. The inherent benefits of utilizing vector spaces render this proposed method particularly well-suited for energy and resource constrained devices, positioning it as a viable option for integration within Internet of Things (IoT) networks. A standout feature of our work is its ability to empower any user in a group to elevate a non-member to a member status. This feature is a potential utility for future autonomous systems. The scheme is thoughtfully crafted to ensure that sponsors of these new members can be identified by all members within the group. Moreover, unlike the polynomial interpolation based, the proposed easily identifies non-members, which helps prevent denial of service (DoS) attacks that previous group authentication algorithms struggled with. The method proposed in this thesis offers a lightweight group authentication solution that verifies participants in environments with energy- and resource-constrained devices, independent of the number of users. During the group authentication phase, a subspace of the universal space, along with its basis set and a polynomial, are selected by the corresponding group manager and kept secret. The basis sets, derived from the chosen main basis set and polynomial, are distributed to users as their private keys. In each group authentication session, a random vector that does not lie in the subspace and a nonce vector are selected and published. Using their basis sets, users are expected to find the projection vector of the published vector and calculate the inner product with the session nonce vector. Participants are verified by sending some bits of the calculated value. In the key generation phase, the steps are identical to those in the group authentication phase. For the projection step, the diffirent vectors are publicly disclosed to be utilized for the same purpose. Participants obtain the key for group communication by performing the same operations. Notably, individuals not having a basis set can not participate in the key building phase which enhances the overall security level. In scenarios where the group administrator is not directly involved, this study enables any authorized user within the group to add new members. The authorized user adjusts their basis set by selecting specific elements and shares it with the prospective group member. By leveraging this basis set, it becomes possible to identify the individual responsible for adding someone to the group. Within the scope of this thesis, we delve into the recent group authentication studies in the literature. We address the challenges of these studies and propose a novel linear based group authentication scheme that overcomes them. Additionally, we present real-time analyses comparing our algorithm with existing studies, supported by tables and graphs.
  • Öge
    A hierarchical key assignment scheme: A unified approach for scalability and efficiency, with a specialized implementation in cloud computing
    (Graduate School, 2024-07-16) Çelikbilek, İbrahim ; Özdemir, Enver ; 707202005 ; Cybersecurity Engineering and Cryptography
    Access control is a fundamental component of information security management, defined as the process of selectively restricting access to resources. This process includes policies and protocols that determine who can access various system resources, under what conditions, and when. It primarily aims to protect data integrity and confidentiality. The proper configuration and implementation of access control systems are crucial, especially for organizations that handle critical and sensitive data. Access methods prevent unauthorized access, thereby protecting sensitive data within the organization from disclosure, alteration, or destruction. Configuring and managing access control processes require the establishment of systems that control and monitor access to resources. These systems operate within the framework of predefined dynamic or static rules and policies. The primary goal is to ensure that only authorized users can access target resources and perform specific actions. Various access models have been developed to effectively implement access controls. These models, which regulate access to system resources, include mandatory, discretionary, role-based, rule-based, attribute-based, and identity-based access methods. Each model aims to provide solutions that meet the requirements of the access environment and comply with institutional or organizational policies. In cases where these models alone are insufficient, particularly in environments with resources and users that have different security and clearance levels, the use of multilevel access control models like Bell-LaPadula may be necessary. These and similar models can typically be configured to the needs of the access environment by combining multiple simple access models and making various additions and modifications. If the users and/or resources in an access environment have a hierarchical structure, and access to resources is granted hierarchically, this type of control is called hierarchical access control. Such access environments require various access tools and policies, along with multilevel access control models, to make access secure, hierarchical, and effective. Hierarchical key assignment schemes are one of the most crucial components within the information security management systems of organizations that handle sensitive data. As an application of hierarchical access control, these schemes ensure hierarchical and secure access to secret cryptographic keys for users at various clearance levels. In hierarchical key assignment schemes, users within the access environment are divided into different classes (groups) that form a hierarchical structure, and a unique secret cryptographic key is assigned to each class. The hierarchical structure based on these classes forms a partially ordered set, which is often represented by an access graph. Typically, these structures define public/private key components for the scheme itself, and for the classes and/or edges within the access graph. In an access graph, a user in a class at a higher security (classification) level can derive the secret key of their own class, and also the secret keys of all descendant classes, using a combination of their own class's secret key and the public/private key components of descendant classes, scheme and/or edges. These schemes serve as a crucial component of cryptographic key management systems in various critical domains today. Among these domains are cloud computing, organizational data access, healthcare systems, multilevel databases, the Internet of Things, drone swarm coordination, and the protection of customer information in the finance sector. Particularly in cloud computing environments, the presence of different user roles and access levels necessitates hierarchical and multi-layered access to system resources.
  • Öge
    Privacy-preserving authentication methods
    ( 2024-08-23) Baykal Nari, Kübra ; Özdemir, Enver ; 707182004 ; Cybersecurity Engineering and Cryptography
    The last century of the technology age has introduced us to many trends that will shape our future. The Internet is not only limited to our computers, but almost every device we use in our daily lives now has an Internet connection. Smartphones, smartwatches, connected cars, smart home technologies, and even smart kitchen appliances are part of the lives of most of us. While the number of IoT devices is measured in billions today, it is an inevitable and expected reality that this number will increase exponentially. These devices that make our lives easier and contribute to our quality of life may not be as innocent as they seem. We share all kinds of personal data with these technological devices: from our sleep patterns to our pulse, from our home temperature to our home/vehicle location, how often we clean our house, what we eat for dinner and more. At this point, concerns about the security of our personal data have a seriously important place. Information security on a system is ensured by the concept called the CIA triad, which includes the concepts of confidentiality, integrity, and accessibility. The concept of information security ensures that data can only be accessed by authorized persons and institutions without compromising its integrity and that it cannot be accessed by unauthorized persons through various security mechanisms. Security mechanisms include various cryptographic algorithms, and the security of these cryptographic algorithms depends on some mathematical problems that are considered hard. However, some of these traditional methods are applicable to devices that do not have any energy restrictions, such as computers or servers. Considering the processing power and energy capacity of devices in an IoV environment, security solutions currently used in information technology will remain dysfunctional. The first step in protecting information is establishing secure communication and properly authenticating the identity of the related person. From the past to the present, cryptographic algorithms have been employed in authentication systems. These algorithms, as mentioned above, are based on the hardness of various mathematical problems. For example, while the security of the RSA algorithm is based on the difficulty of factoring large numbers, the security of the Diffie-Hellman key exchange algorithm is directly proportional to the difficulty of solving the discrete logarithm problem. Although these algorithms ensure the security of the systems at some level, they are quite costly in terms of computational load. Considering the nature of today's technological devices, integrating these algorithms will not be feasible. At this stage, a research area emerges regarding security algorithms to be employed for devices with high mobility and limited resources. The IoV concept, which is a sub-branch of the IoT concept, has become more popular recently, but there is still a lack of studies on the IoV environment. Practically applicable research that can meet the requirements of these devices will shed light on our future. The method proposed within the scope of the thesis targets connected autonomous vehicles, IoV environments, and platooning concepts in IoV environments as its application area. The method proposes a privacy-preserving group-based authentication scheme. The working principle of the proposed method is based on certain pre-defined groups and the communication among these groups. Within the scope of the method, there are components such as vehicles, groups that include vehicles, group managers that manage and conduct the authentication processes in the groups, and RSUs. There are two basic steps in the method for a vehicle to join a group and perform authentication operations: the initial registration phase and the authentication or group handover phase. During the initial registration phase, the vehicle must receive a key pair from a certification authority, this key pair is used in legal situations. The key pair can only be used by legally authorized organizations to access the vehicle in cases such as traffic accidents or malicious usage of the vehicle. During the initial registration phase, the vehicle also receives a key pair containing the group's public and private keys, which are used for subsequent authentication and group handover operations. After the initial registration process, the vehicle is included in a group. The authentication operation for the future group handover process is conducted by the group manager. After the initial registration phase is successfully completed, the vehicle is involved in a group structure with other vehicles located in the same geographical location as the group manager. When the vehicle starts traveling and goes into the coverage area of another target group manager, it sends a group handover request to its own group manager. There is a secure communication channel between group managers, and the private function of the group is shared through this communication channel among these group managers. Then, the targeted group manager shares a temporary nonce value based on the timestamp with the vehicle. Then the vehicle generates a value by combining its secret key with the nonce value. The vehicle uses the generated value as a symmetric key, encrypts the own group secret key with this value, and sends it to the targeted group manager. The targeted group manager decrypts the encrypted data, compares the own calculated data and the vehicle's decrypted data, and thus authenticates the vehicle. The targeted group manager sends the new group information, that is, the group public and private key pair, to the successfully authenticated vehicle. Thus, the vehicle is now included in a new group. All these processes occur in under a millisecond. Therefore, it is a very advantageous method for an IoV vehicle with limited resources. The method is not only applicable candidate in the IoV environment but also in different systems where a group structure can be constructed. Additionally, a protocol for public transportation platoons in smart cities has been proposed as an application of the method proposed within the scope of the thesis. The symmetric key encryption algorithm employed during the authentication phase is left flexible depending on the configuration of the system to be integrated. However, in the proposed method and tests, the AES algorithm was utilized for symmetric key encryption. The scope of the thesis includes a literature review that encompasses many current studies relevant to various vehicle networks. In comparing the proposed method, some of these current methods were implemented. Comparisons are based on real-time analyses, with comprehensive result graphs and tables. Test results reveal the advantages of the privacy-preserving group-based authentication method compared to its alternatives. A detailed security analysis of the method demonstrates that it is an effective candidate for a security solution that is both resistant to known attacks and applicable to IoV systems.
  • Öge
    A hierarchical key assignment scheme for access control in cloud computing
    (Graduate School, 2022-06-10) Çeliktaş, Barış ; Özdemir, Enver ; 707182002 ; Cyber Security Engineering and Cryptography
    Today, organizations no longer have to spend huge amounts of money on physical servers, related information technologies infrastructures such as server rooms or data centers because large initial capital expenditure and operational expenditures are significantly reduced due to relatively new method called cloud computing. In addition, administrative challenges include establishing well-designed disaster recovery and business continuity plans, building fault-tolerant and scalable systems, full-time availability, and greater collaboration with stakeholders needed by organizations. These all lead companies to outsource the services such as storage systems, large-scale computations and hosting. Among cloud deployment models, the public cloud is currently the most preferred by companies due to its cost-effectiveness, although it raises many concerns, especially for military, health, and banking organizations, where confidentiality and privacy are crucial. The main concerns of these organizations, which operate in a hierarchical manner, are confidentiality, privacy, availability, integrity, reliability, data lock-in, and regulatory compliance. Besides the above-mentioned concerns, the integration of data access control policy to any cloud deployment models by the data owner is also a challenging topic in the research community. In this thesis, we will focus on finding a solution to confidentiality and privacy concerns. The first solution that comes to mind for the focused concerns should be found in cryptography tools. It is very crucial to follow a secure key management policy by organizations to ensure the confidentiality of sensitive data using encryption. What motivates us to conduct this research is to introduce a secure, flexible, hierarchical, and practical key access control mechanism that eliminates or minimizes confidentiality and privacy concerns in the transition to the cloud for hierarchical organizations utilizing sensitive data. In this context, we will present two different hierarchical access control schemes to be used in the secure adoption of the public cloud for hierarchical organizational structures and demonstrate that the use of these schemes provides a flexible, efficient, and secure hierarchical key access control mechanism for the entirety of hierarchy. Note that these schemes can also be used for organizations that do not consume cloud services to manage their internal key management and access controls. The first proposed scheme is based on an inner product space and orthogonal projection method, whereas the second is based on Shamir's secret sharing algorithm and polynomial interpolation method. These are also different in approach. The first one adopts a top-down approach where a user of any security level can access the key/data of the same and/or lower security level by default, while the second one needs the approval of the users at the same and/or higher security level to access the key/data, in other words, it adopts a bottom-up approach. The first scheme is based on an inner product space and can be utilized in any cloud delivery model where the data owner implements a hierarchical access control policy. While distributing a basis for each class by the data owner, a left-to-right and bottom-up policy can ensure much more flexibility and efficiency, especially during any change in the structure. For each class, the secret keys can be derived only when a predetermined subspace is available. This scheme is resistant to collusion/collaboration attacks and privilege creep problems, as well as provides key recovery and key indistinguishability security. The performance analysis also shows us that the data storage overhead is much more tolerable than other schemes in the literature. In addition, the other advantage is that it requires only one operation to derive the secret key of child classes securely and efficiently. In other words, these experimental results satisfy all of the desired performance and security requirements. The second scheme is based on Shamir's secret sharing algorithm and polynomial interpolation method. We provide a secure method for each user of this entity to access the public cloud from both inside and outside the company's network. The scheme offers a secure, flexible, and hierarchical key access mechanism for organizations utilizing sensitive data. It also minimizes concerns about moving sensitive data to the public cloud and ensures that only users with sufficient approvals from the same or higher privileged users can access the data by making use of the topological ordering of a directed graph, including self-loop. Our policy in this scheme is to obtain permission approval for bottom-up access. Main overheads such as public and private storage needs are reduced to a tolerable level, and the key derivation is cost-effective. From a security perspective, this scheme is both resistant to collusion/collaboration attacks and provides key indistinguishability security. Since the key does not need to be kept anywhere, the key disclosure risk is also eliminated. In summary, in this thesis, to take full advantage of these different approaches, the data owner can choose the best one that is suitable for the security policy and hierarchical structure of the organization. If required, the data owner can also design an infrastructure that is a mixture of these two approaches.
  • Öge
    Group authentication for next generation networks
    (Graduate School, 2022-05-12) Aydın, Yücel ; Özdemir, Enver ; Kurt Karabulut, Güneş Zeynep ; 707172003 ; Cybersecurity Engineering and Cryptography
    In this thesis, it is proposed and simulated to perform handover operations as a group to decrease time latency and the number of communication. The security aspects of the authentication and handover for drone swarms are presented in the thesis. The reason to select drone swarms is to examine the authentication in a group and to raise the use of drones everywhere in daily life. The number of drones used for military or commercial applications is getting higher every day. Border security, visual shows, and cargo delivery can be some examples of drone applications. Due to their flying time and limited coverage area, a single drone cannot perform intensive tasks. While providing mobile service via aerial base stations, some UxNBs can turn back to the control station and new drones can be sent to the area to accomplish the tasks. Due to these reasons, it is preferred to use drone swarms for intensive tasks rather than a single drone. The first security problem for the drone swarm is the authentication of the new drones sent by the drone control station join to the swarm. If it is possible to include a drone in the swarm without authentication, any intruders can impersonate a drone and send it to the swarm for various attacks. In addition to the authentication, the communication inside the swarm should be encrypted and each party should use a group key. The group key may also be shared with the new authenticated drone. The next security requirement for the drone swarm is the mutual authentication of two drone swarms to perform more intensive tasks. If the authentication solution for the UAV authentication in 5G is exploited for mutual authentication, the number of communication and scalability should be taken into consideration since each party from a different swarm should perform authentication with the UAVs from another swarm. Group authentication solutions may be used to overcome scalability and the high number of communication issues. Drone swarms also have security and latency issues for the handover operations. There are two kinds of handover operations for drone swarms. One is the handover of drone swarms from serving terrestrial base station to the new base station. The next one is the handover of UxNBs if the base station is not terrestrial but an aerial. The serving UxNB may be out of flying time and drone swarm may start to receive service from new UxNB. The lightweight group authentication scheme is applied to the authentication and handover operations for the drone swarms in the thesis. 5G UAV authentication and handover methods and group-based solutions are implemented in the simulation and the results are compared. According to the results, the group authentication solutions provide better time, and less communication for the drone swarms.