As permissioned blockchain becomes a common foundation of blockchain-based circumstances for current organizations,related stakeholders need a means to assess the trustworthiness of the applications involved within.It...As permissioned blockchain becomes a common foundation of blockchain-based circumstances for current organizations,related stakeholders need a means to assess the trustworthiness of the applications involved within.It is extremely important to consider the potential impact brought by the Blockchain technology in terms of security and privacy.Therefore,this study proposes a rigorous security risk management framework for permissioned blockchain-enabled applications.The framework divides itself into different implementation domains,i.e.,organization security,application security,consensus mechanism security,node management and network security,host security and perimeter security,and simultaneously provides guidelines to control the security risks of permissioned blockchain applications with respect to these security domains.In addition,a case study,including a security testing and risk evaluation on each stack of a specific organization,is demonstrated as an implementation instruction of our proposed risk management framework.According to the best of our knowledge,this study is one of the pioneer researches that provide a means to evaluate the security risks of permissioned blockchain applications from a holistic point of view.If users can trust the applications that adopted this framework,this study can contribute to the adoption of permissioned blockchain-enabled technologies.Furthermore,application providers can use the framework to perform gap analysis on their existing systems and controls and understand the risks of their applications.展开更多
With the rapid growth of electronic commerce and associated demands on variants of Internet based applications,application systems providing network resources and business services are in high demand around the world....With the rapid growth of electronic commerce and associated demands on variants of Internet based applications,application systems providing network resources and business services are in high demand around the world.To guarantee robust security and computational efficiency for service retrieval,a variety of authentication schemes have been proposed.However,most of these schemes have been found to be lacking when subject to a formal security analysis.Recently,Chang et al.(2014) introduced a formally provable secure authentication protocol with the property of user-untraceability.Unfortunately,based on our analysis,the proposed scheme fails to provide the property of user-untraceability as claimed,and is insecure against user impersonation attack,server counterfeit attack,and man-in-the-middle attack.In this paper,we demonstrate the details of these malicious attacks.A security enhanced authentication scheme is proposed to eliminate all identified weaknesses.展开更多
Yang and Chang (2009) proposed a three-party authenticated key exchange protocol for securing communications in mobile-commerce environments. Their protocol reduces computation and communication costs by employing ell...Yang and Chang (2009) proposed a three-party authenticated key exchange protocol for securing communications in mobile-commerce environments. Their protocol reduces computation and communication costs by employing elliptic curve cryptosystems. However, Tan (2010) pointed out that Yang and Chang (2009)'s protocol cannot withstand impersonation and parallel attacks, and further proposed an enhanced protocol to resist these attacks. This paper demonstrates that Tan (2010)'s approach still suffers from impersonation attacks, and presents an efficient and secure three-party authenticated key exchange protocol to overcome shown weaknesses.展开更多
Numerous smart card based authentication protocols have been proposed to provide strong system security and robust individual privacy for communication between parties these days. Nevertheless, most of them do not pro...Numerous smart card based authentication protocols have been proposed to provide strong system security and robust individual privacy for communication between parties these days. Nevertheless, most of them do not provide formal analysis proof, and the security robustness is doubtful. Chang and Cheng(2011) proposed an efficient remote authentication protocol with smart cards and claimed that their proposed protocol could support secure communication in a multi-server environment. Unfortunately, there are opportunities for security enhancement in current schemes. In this paper, we identify the major weakness, i.e., session key disclosure, of a recently published protocol. We consequently propose a novel authentication scheme for a multi-server environment and give formal analysis proofs for security guarantees.展开更多
基金This work was supported by the Ministry of Science and Technology,Taiwan,under grants MOST 110-2218-E-011-007-MBK,MOST 111-2218-E-011-012-MBK,MOST 109-2221-E-011-110-MY2,MOST 109-2221-E-259-011-MY2,MOST 110-2629-E-259-001,MOST 110-2926-I-259-501,and MOST 110-2634-F-A49-004.
文摘As permissioned blockchain becomes a common foundation of blockchain-based circumstances for current organizations,related stakeholders need a means to assess the trustworthiness of the applications involved within.It is extremely important to consider the potential impact brought by the Blockchain technology in terms of security and privacy.Therefore,this study proposes a rigorous security risk management framework for permissioned blockchain-enabled applications.The framework divides itself into different implementation domains,i.e.,organization security,application security,consensus mechanism security,node management and network security,host security and perimeter security,and simultaneously provides guidelines to control the security risks of permissioned blockchain applications with respect to these security domains.In addition,a case study,including a security testing and risk evaluation on each stack of a specific organization,is demonstrated as an implementation instruction of our proposed risk management framework.According to the best of our knowledge,this study is one of the pioneer researches that provide a means to evaluate the security risks of permissioned blockchain applications from a holistic point of view.If users can trust the applications that adopted this framework,this study can contribute to the adoption of permissioned blockchain-enabled technologies.Furthermore,application providers can use the framework to perform gap analysis on their existing systems and controls and understand the risks of their applications.
基金Project supported by the Taiwan Information Security Center(TWISC)the Ministry of Science and Technology,Taiwan(Nos.MOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2)
文摘With the rapid growth of electronic commerce and associated demands on variants of Internet based applications,application systems providing network resources and business services are in high demand around the world.To guarantee robust security and computational efficiency for service retrieval,a variety of authentication schemes have been proposed.However,most of these schemes have been found to be lacking when subject to a formal security analysis.Recently,Chang et al.(2014) introduced a formally provable secure authentication protocol with the property of user-untraceability.Unfortunately,based on our analysis,the proposed scheme fails to provide the property of user-untraceability as claimed,and is insecure against user impersonation attack,server counterfeit attack,and man-in-the-middle attack.In this paper,we demonstrate the details of these malicious attacks.A security enhanced authentication scheme is proposed to eliminate all identified weaknesses.
基金Project (Nos. 101-2218-E-011-001, 100-2218-E-259-004-MY2, and 101-2219-E-011-004) partially supported by the Taiwan Information Security Center (TWISC), National Science Council (NSC), Taiwan
文摘Yang and Chang (2009) proposed a three-party authenticated key exchange protocol for securing communications in mobile-commerce environments. Their protocol reduces computation and communication costs by employing elliptic curve cryptosystems. However, Tan (2010) pointed out that Yang and Chang (2009)'s protocol cannot withstand impersonation and parallel attacks, and further proposed an enhanced protocol to resist these attacks. This paper demonstrates that Tan (2010)'s approach still suffers from impersonation attacks, and presents an efficient and secure three-party authenticated key exchange protocol to overcome shown weaknesses.
基金Project(Nos.102-2218-E-259-004,102-2218-E-146-002,and 1022218-E-011-012)supported by Taiwan Information Security Center (TWISC) and National Science Council,Taiwan
文摘Numerous smart card based authentication protocols have been proposed to provide strong system security and robust individual privacy for communication between parties these days. Nevertheless, most of them do not provide formal analysis proof, and the security robustness is doubtful. Chang and Cheng(2011) proposed an efficient remote authentication protocol with smart cards and claimed that their proposed protocol could support secure communication in a multi-server environment. Unfortunately, there are opportunities for security enhancement in current schemes. In this paper, we identify the major weakness, i.e., session key disclosure, of a recently published protocol. We consequently propose a novel authentication scheme for a multi-server environment and give formal analysis proofs for security guarantees.
