It has long been believed that once the voice media between caller and callee is captured or sniffed from the wire, either legally by law enforcement agencies or illegally by hackers through eavesdropping on communica...
详细信息
ISBN:
(纸本)9781450322782
It has long been believed that once the voice media between caller and callee is captured or sniffed from the wire, either legally by law enforcement agencies or illegally by hackers through eavesdropping on communication channels, it is easy to listen into their conversation. In this paper, we show that this common perception is not always true. Our real-world experiments demonstrate that it is feasible to create a hidden telephonic conversation within an explicit telephone call. In particular, we propose a real-time covert communication channel within two-way media streams established between caller and callee. The real-time covert channel is created over the media stream that may possibly be monitored by eavesdroppers. However, the properly encoded media stream acts as a cover (or decoy) carrying bogus media such as an earlier recorded voice conversation. This spurious content will be heard if the media stream is intercepted and properly decoded. However, the calling and called parties protected by the covert communication channel can still directly talk to each other in privacy and real-time, just like any other normal phone calls. This work provides an additional security layer against media interception attacks, however it also exposes a serious security concern to CALEA (Communications Assistance for Law Enforcement Act) wiretapping and its Infrastructure. Copyright 2014 acm.
Developments in health information technology have encouraged the establishment of distributed systems known as Health Information Exchanges (HIEs) to enable the sharing of patient records between institutions. In man...
详细信息
ISBN:
(纸本)9781450322782
Developments in health information technology have encouraged the establishment of distributed systems known as Health Information Exchanges (HIEs) to enable the sharing of patient records between institutions. In many cases, the parties running these exchanges wish to limit the amount of information they are responsible for holding because of sensitivities about patient information. Hence, there is an interest in broker-based HIEs that keep limited information in the exchange repositories. However, it is essential to audit these exchanges carefully due to risks of inappropriate data sharing. In this paper, we consider some of the requirements and present a design for auditing broker-based HIEs in a way that controls the information available in audit logs and regulates their release for investigations. Our approach is based on formal rules for audit and the use of Hierarchical Identity-Based Encryption (HIBE) to support staged release of data needed in audits and a balance between automated and manual reviews. We test our methodology via an extension of a standard for auditing HIEs called the Audit Trail and Node Authentication Proffle (ATNA) protocol. Copyright 2014 acm.
Motivated by privacy and usability requirements in various scenarios where existing cryptographic tools (like secure multi-party computation and functional encryption) are not adequate, we introduce a new cryptographi...
详细信息
ISBN:
(纸本)9781450329576
Motivated by privacy and usability requirements in various scenarios where existing cryptographic tools (like secure multi-party computation and functional encryption) are not adequate, we introduce a new cryptographic tool called Controlled Functional Encryption (C-FE). As in functional encryption, C-FE allows a user (client) to learn only certain functions of encrypted data, using keys obtained from an authority. However, we allow (and require) the client to send a fresh key request to the authority every time it wants to evaluate a function on a ciphertext. We obtain efficient solutions by carefully combining CCA2 secure public-key encryption (or rerandomizable RCCA secure public-key encryption, depending on the nature of security desired) with Yao's garbled circuit. Our main contributions in this work include developing and formally defining the notion of C-FE;designing theoretical and practical constructions of C-FE schemes achieving these definitions for specific and general classes of functions;and evaluating the performance of our constructions on various application scenarios.
To mitigate security concerns of outsourced databases, quite a few protocols have been proposed that outsource data in encrypted format and allow encrypted query execution on the server side. Among the more practical ...
详细信息
ISBN:
(纸本)9781450322782
To mitigate security concerns of outsourced databases, quite a few protocols have been proposed that outsource data in encrypted format and allow encrypted query execution on the server side. Among the more practical protocols, the "bucketization" approach facilitates query execution at the cost of reduced efficiency by allowing some false positives in the query results. Precise Query Protocols (PQPs), on the other hand, enable the server to execute queries without incurring any false positives. Even though these protocols do not reveal the underlying data, they reveal query access pattern to an adversary. In this paper, we introduce a general attack on PQPs based on access pattern disclosure in the context of secure range queries. Our empirical analysis on several real world datasets shows that the proposed attack is able to disclose significant amount of sensitive data with high accuracy provided that the attacker has reasonable amount of background knowledge. We further demonstrate that a slight variation of such an attack can also be used on imprecise protocols (e.g., bucketization) to disclose significant amount of sensitive information. Copyright 2014 acm.
The proceedings contain 41 papers. The topics discussed include: for some eyes only: protecting online information sharing;do online social network friends still threaten my privacy?;exploring dependency for query pri...
ISBN:
(纸本)9781450318907
The proceedings contain 41 papers. The topics discussed include: for some eyes only: protecting online information sharing;do online social network friends still threaten my privacy?;exploring dependency for query privacy protection in location-based services;expression rewriting for optimizing secure computation;efficient discovery of de-identification policy options through a risk-utility frontier;data usage control enforcement in distributed systems;privacy by design: a formal framework for the analysis of architectural choices;comparative eye tracking of experts and novices in web single sign-on;cross-layer detection of malicious websites;a file provenance system;enhancing performance of searchable encryption in cloud computing;a fine-grained access control model for key-value systems;emulating Internet topology snapshots in deterlab;and a study of user password strategy for multiple accounts.
SNOOP is an adaptive middleware for secure multi-party computations (SMC). It combines support for secure multi- party computations, encryption, public key infrastructure (PKI), certificates, and certificate authoriti...
详细信息
ISBN:
(纸本)9781450332323
SNOOP is an adaptive middleware for secure multi-party computations (SMC). It combines support for secure multi- party computations, encryption, public key infrastructure (PKI), certificates, and certificate authorities (CA). It is used to perform statistical analysis of electronic health record (EHR) data. EHR data are typically located at different general practices and hospitals. SNOOP and the deployment of SNOOP applications have to take into consideration legal, security and privacy issues involved in statistical analysis of such data. SNOOP tries to support a wide range of possible SMC algorithms and computing graphs. It pro- vides high-level programming abstractions that adapt to the current run-time environment at deploy time. Contracts are provided to match the application requirements with avail- Able run-time functionality and requirements. Copyright 2014 acm.
OAuth 2.0 protocol has enjoyed wide adoption by Online Social Network (OSN) providers since its inception. Although the security guideline of OAuth 2.0 is well discussed in RFC6749 and RFC6819, many real-world attacks...
详细信息
暂无评论