Dissertations / Theses on the topic 'Security tokens'

International Telemetering Conference Proceedings / October 20-23, 2003 / Riviera Hotel and Convention Center, Las Vegas, Nevada
While healthcare industry is striving to achieve e-health systems for improvements in healthcare quality, cost, and access, privacy and security about medical records should be considered carefully. This paper makes a deep study of Public Key Infrastructures (PKIs) and Privilege Management Infrastructures (PMIs) and how they can secure e-health systems. To access resources, e.g. patient records, both authentication and authorization are needed, so public key certificates and attribute certificates are both required to protect healthcare information. From a typical medical scenario, we see not only static but also dynamic permissions are required. Dynamic authorization maybe the most complex problem in e-health systems.

Microservices have emerged as an attractive alternative to more classical monolithic software application architectures. Microservices provides many benefits that help with code base comprehension, deployability, testability, and scalability. As the Information technology (IT) industry has grown ever larger, it makes sense for the technology giants to adopt the microservice architecture to make use of these benefits. However, with new software solutions come new security vulnerabilities, especially when the technology is new and vulnerabilities are yet to be fully mapped out. Authentication and authorization are the cornerstone of any application that has a multitude of users. However, due to the lack of studies of microservices, stemming from their relatively young age, there are no standardized design patterns for how authentication and authorization are best implemented in a microservice. This thesis investigates an existing microservice in order to secure it by applying what is known as a security design pattern for authentication and authorization. Different security patterns were tested and compared on performance. The differing levels of security provided by these approaches assisted in identifying an acceptable security versus performance trade-off. Ultimately, the goal was to give the patterns greater validity as accepted security patterns within the area of microservice security. Another goal was to find such a security pattern suitable for the given microservice used in this project. The results showed a correlation between increased security and longer response times. For the general case a security pattern which provided internal authentication and authorization but with some trust between services was suggested. If horizontal scaling was used the results showed that normal services proved to be the best target. Further, it was also revealed that for lower user counts the performance penalties were close to equal between the tested patterns. This meant that for the specific case where microservices sees lower amounts of traffic the recommended pattern was the one that implemented the maximum amount access control checks. In the case for the environment where the research were performed low amounts of traffic was seen and the recommended security pattern was therefore one that secured all services of the microservices.
Mikrotjänster har framträtt som ett mer attraktivt alternativ än mer konventionella mjukvaruapplikationsarkitekturer såsom den monolitiska. Mikrotjänster erbjuder flera fördelar som underlättar med en helhetsförståelse för kodbasen, driftsättning, testbarhet, och skalbarhet. Då IT industrin har växt sig allt större, så är det rimligt att tech jättar inför mikrotjänstarkitekturen för att kunna utnyttja dessa fördelar. Nya mjukvarulösningar medför säkerhetsproblem, speciellt då tekniken är helt ny och inte har kartlagts ordentligt. Autentisering och auktorisering utgör grunden för applikationer som har ett flertal användare. Då mikrotjänster ej hunnit blivit utförligt täckt av undersökning, på grund av sin relativt unga ålder, så finns det ej några standardiserade designmönster för hur autentisering och auktorisering är implementerade till bästa effekt i en mikrotjänst. Detta examensarbete undersöker en existerande mikrotjänst för att säkra den genom att applicera vad som är känt som ett säkerhetsdesignmönster för autentisering och auktorisering. Olika sådana mönster testades och jämfördes baserat på prestanda i olika bakgrunder. De varierade nivåerna av säkerhet från de olika angreppssätten som säkerhetsmönstrena erbjöd användes för att identifiera en acceptabel kompromiss mellan säkerhet mot prestanda. Målet är att i slutändan så kommer detta att ge mönstren en högre giltighet när det kommer till att bli accepterade som säkerhetsdesignmönster inom området av mikrotjänstsäkerhet. Ett annat mål var att hitta den bästa kandidaten bland dessa säkerhetsmönster för den givna mikrotjänsten som användes i projektet. Resultaten visade på en korrelation mellan ökad säkerhet och längre responstider. För generella fall rekommenderas det säkerhetsmönster som implementerade intern autentisering och auktorisering men med en viss del tillit mellan tjänster. Om horisontell skalning användes visade resultaten att de normala tjänsterna var de bästa valet att lägga dessa resurser på. Fortsättningsvis visade resultaten även att för ett lägre antal användare så var den negativa effekten på prestandan nästan likvärdig mellan de olika mönstren. Detta innebar att det specifika fallet då mikrotjänster ser en lägre mängd trafik så är det rekommenderade säkerhetsmönstret det som implementerad flest åtkomstkontroller. I fallet för den miljö där undersökningen tog plats förekom det en lägre mängd trafik och därför rekommenderades det säkerhetsmönster som säkrade alla tjänster närvarande i mikrotjänsten.

Allt eftersom mer och mer information sparas på datorer så ökar även trycket på att denna information sparas säkert, och att endast behöriga personer kommer åt den.Syftet med arbetet var att se vilka skillnader som finns mellan biometri och tokens, och vilka skillnader som små till medelstora företag borde ta i beaktande när de väljer en autentiseringsmetod. Det förväntade resultatet var då en beskrivning, i form av ett ramverk, över vilka för- och nackdelar som finns med de två metoderna, och således vilken metod som ett enskilt företag som använder ramverket borde använda sig utav.Arbetet genomfördes via en litteraturstudie, i vilket tre databaser användes för att samla information. IEEEXplore, ACM Digital Library, och ScienceDirect var de tre databaser som användes för arbetet. I dessa identifierades ett antal artiklar, som delades upp i kodade kategorier utefter innehåll. Detta i syfte att utföra en tematisk kodad analys.Totalt identifierades 28 artiklar i de olika databaserna. I dessa artiklar identifierades kostnad, säkerhet, integritet, och användarvänlighet som några av de mesta omtalade ämnena. 7 utav de 28 artiklarna pratade om kostnad, 20 av artiklarna nämnde säkerhet, 5 nämnde integritet, och 9 pratade om användarvänlighet. Det fanns även ett antal mindre teman i tvåfaktorsautentisering, skalbarhet, typer av biometri, typer av tokens, och framtida teknologi inom biometri.Efter genomförd analys formulerades ett ramverk i vilket ett smått till medelstort företag kan se vilken metod av autentisering som passar deras företag bäst.
As technology evolves, corporations and enterprises are forced to evolve alongside it. Storing company information and data on servers and computers have become common practice.Initially, the goal with the work presented was to compare biometric authentication and token authentication in relation so SMEs. In the current landscape there is no comprehensive study in these two methods of authentication in relation to SMEs. A framework was developed for system administrators to use when choosing one of these methods of authentication. The framework is a summarization of the works analytical part.A literature study was conducted to reach the goal. Three databases were used as sources of information. These three were namely IEEEXplore, ACM Digital Library, and ScienceDirect. From these sources, literature was identified on which the study was then based. Thematic coding was used to analyze the collected data.After the process of collecting and including/excluding was complete, a total of 28 articles remained. From these articles a total of 10 themes were identified from the thematic coding. These themes were cost, integrity, usability, security pros, security cons, two-factor authentication, scalability, biometric types, token types, and future biometric technology. Four of these were more prevalent, namely cost, integrity, usability, and security.After the analysis was finished the themes that emerged as important were integrity and usability. Because of this, the framework is heavily influenced by these themes and they are particularly important for system administrators to consider.

Le Security Token Offerings, abbreviate in STOs, sono un fenomeno recente che si è diffuso a partire dalla seconda metà del 2017 mantenendo inizialmente la connotazione di Initial Coin Offerings (ICOs), per poi prestare maggiore attenzione alla regolamentazione e differenziarsi in token sales in cui il token è uno strumento finanziario regolamentato. Come si avrà modo di osservare, questo cambio di paradigma è ciò che contraddistingue le STOs. Nel 2017 le ICOs hanno raggiunto un picco di popolarità per poi la maggior parte fallire in meno di un anno, facendo capire agli investitori che le ICOs sono state una bolla speculativa. Nonostante ciò, la validità del modello di raccolta di capitale tramite la vendita di token basati su tecnologia Blockchain non è stata messa in discussione. Proprio per questo sono nate le STOs, delle token sales in cui il token è uno strumento finanziario, che offre tutela agli investitori. Lo scopo di questo lavoro di tesi è stato approfondire la comprensione di questo fenomeno in particolare analizzandone le motivazioni, le caratteristiche e le metodologie con le quali queste STOs vengono realizzate.

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Civil and Environmental Engineering, 2007.
Includes bibliographical references (leaves 65-66).
The iLab architecture allows students to execute laboratory experiments remotely through internet. It supports three different kinds of experiments: batched, interactive and sensor-based. The iLab Interactive Experiments architecture includes the following servers and services: the Interactive Service Broker (ISB), the Experiment Storage Service (ESS) and the Lab Server (LS). In addition, students execute interactive experiments by running a Lab Client (LC). In order to support interactive experiments which require scheduled access, the iLab interactive architecture envisions scheduling servers and services which enable students from different campuses to reserve time periods to execute experiments. Since the user side and lab side require different scheduling functionalities, a user-side scheduling server (USS) and a lab-side scheduling server (LSS) are introduced in the iLab Interactive Services to manage reservations. In the first part of this thesis, the philosophy of the scheduling services design and the implementation will be illustrated in detail. In dealing the security issues in the iLab interactive architecture, the complexity of the higher level authentication between iLab processes increases when one considers collaboration between domains. In second part of this thesis, I present a Security Token Service (STS) scheme for using WS-Security to optimize the cross-domain authentication in the iLab interactive architecture. The scheme uses the brokered authentication with a security token issued by the STS. The STS is trusted by the web applications and web services in the iLab interactive architecture to provide interoperable security tokens. A security token is used to convey the credential information and the proof of a relationship with the broker, which can be used by the service to verify the token. A comparison between the STS scheme and the current General Ticket scheme is summarized.
by Tingting Mao.
S.M.

International Telemetering Conference Proceedings / October 20-23, 2003 / Riviera Hotel and Convention Center, Las Vegas, Nevada
Security hardware based on asymmetric algorithm is the key component of Public Key Infrastructure (PKI), which decides the safety and performance of system. Security device in server or client have some common functions. We designed the client token and cryptographic server to improve the performance of PKI, and got obvious effect.

This research proposes a new secure token profile for improving the existing Web Services security standards. It provides a new authentication mechanism. This additional level of security is important for the Service-Oriented Architecture (SOA), which is an architectural style that uses a set of principles and design rules to shape interacting applications and maintain interoperability. Currently, the market push is towards SOA, which provides several advantages, for instance: integration with heterogeneous systems, services reuse, standardization of data exchange, etc. Web Services is one of the technologies to implement SOA and it can be implemented using Simple Object Access Protocol (SOAP). A SOAP-based Web Service relies on XML for its message format and common application layer protocols for message negotiation and transmission. However, it is a security challenge when a message is transmitted over the network, especially on the Internet. The Organization for Advancement of Structured Information Standards (OASIS) announced a set of Web Services Security standards that focus on two major areas. “Who” can use the Web Service and “What” are the permissions. However, the location or domain of the message sender is not authenticated. Therefore, a new secure token profile called: Participant Domain Name Token Profile (PDNT) is created to tackle this issue. The PDNT provides a new security feature, which the existing token profiles do not address. Location-based authentication is achieved if adopting the PDNT when using Web Services. In the performance evaluation, PDNT is demonstrated to be significantly faster than other secure token profiles. The processing overhead of using the PDNT with other secure token profiles is very small given the additional security provided. Therefore all the participants can acquire the benefits of increased security and performance at low cost.

Atualmente o uso de senhas, método comum para efetuar autenticação em páginas da internet, mostra-se uma alternativa com problemas de segurança devido ao aumento de ataques baseados em spyware e phishing. O objetivo desses ataques é obter a senha do usuário, isto é, sua identidade digital sem que o usuário perceba o ocorrido. Para conter esse tipo de ataque, instituições financeiras começaram a adotar a autenticação forte, técnica que emprega o uso simultâneo de múltiplos autenticadores. A combinação das vantagens dos diferentes autenticadores resulta em uma atenuação mútua de suas vulnerabilidades e, em conseqüência, um método mais seguro de verificação de identidade. Esse trabalho apresenta o projeto e a implementação de um dispositivo de autenticação, permitindo combinar o uso de senhas e autenticadores baseados em objeto. As principais características do dispositivo são o seu custo reduzido e o uso de algoritmos criptográficos com código aberto. Algoritmos de código aberto possuem a sua segurança averiguada de forma ampla e independente, característica que dá maior confiabilidade ao sistema, permitindo a qualquer pessoa avaliar o código executado pelo dispositivo.
Currently, password-based authentication is the most widespread identity verification method for web pages access. However it presents security issues due to the growth of attacks based on spywares and phishing. The main purpose of both techniques is the digital identity theft, that is, stealing users\' passwords in an unnoticed way. In order to counter this type of attack, many financial institutions have adopted strong authentication, a technique that employs a simultaneous use of different authentication factors. By synergistically combining the advantages of distinct factors, such arrangement results in the mutual mitigation of the vulnerabilities of each one, yielding an architecturally safer identity verification method. This work presents the design and implementation of an authentication device, which combines passwordbased and object-based authenticators. Its main distinguishing features are the reduced cost and the use of open sourced cryptographic algorithms. Open source algorithms have their security widely and independently verified, a characteristic that helps increase the system\'s reliability, since third parties may check the source code running on the device.

Authentication is a crucial tool used in access control mechanisms to verify a user’s identity. Collaborative Authentication (co-authentication) is a newly proposed authentication scheme designed to improve on traditional token authentication. Co-authentication works by using multiple user devices as tokens to collaborate in a challenge and authenticate a user request on single device. This thesis adds two contributions to the co-authentication project. First, a detailed survey of applications that are suitable for adopting co-authentication is presented. Second, an analysis of tradeoffs between varying protocol designs of co-authentication is performed to determine whether, and how, any designs are superior to other designs.

The enormous growth of the Internet and the World Wide Web has provided the opportunity for an enterprise to extend its boundaries in the global business environment. While commercial functions can be shared among a variety of strategic allies - including business partners and customers, extranets appear to be the cost-effective solution to providing global connectivity for different user groups. Because extranets allow third-party users into corporate networks, they need to be extremely secure and external access needs to be highly controllable. Access control and authorisation mechanisms must be in place to regulate user access to information/resources in a manner that is consistent with the current set of policies and practices both at intra-organisational and cross-organisational levels. In the business-to-customer (B2C) e-commerce setting, a service provider faces a wide spectrum of new customers, who may not have pre-existing relationships established. Thus the authorisation problem is particularly complex. In this thesis, a new authorisation scheme is proposed to facilitate the service provider to establish trust with potential customers, grant access privileges to legitimate users and enforce access control in a diversified commercial environment. Four modules with a number of innovative components and mechanisms suitable for distributed authorisation on extranets are developed: * One-shot Authorisation Module - One-shot authorisation token is designed as a flexible and secure credential for access control enforcement in client/server systems; * Token-Based Trust Establishment Module - Trust token is proposed for server-centric trust establishment in virtual enterprise environment. * User-Centric Anonymous Authorisation Module - One-task authorisation key and anonymous attribute certificate are developed for anonymous authorisation in a multi-organisational setting; * Agent-Based Privilege Negotiation Module - Privilege negotiation agents are proposed to provide dynamic authorisation services with secure client agent environment for hosting these agents on user's platform

The aim of this thesis is to study and describe the theme of Public Key Infrastructure (PKI). Within the scope of minute PKI characterization there is a gradual depiction of particular structural elements, which are above all represented by cryptographic operations (asymetric and symetric cryptography, hash function and digital signature); then, there are also individual PKI subjects that are dealt with, like eg. certification authority, certificates, security protocols, secure heap etc. Last but not least there are a few complete Public Key Infrastructure implementation solutions described (OpenSSL, Microsft CA). The practical part of the thesis, a lab exercise, gives potential students the knowledge of installing OpenSSL system based certification authority. The next task educate students how to secure web server with certificate signed with own CA and also how to secure web server users‘ access control through certificates signed by the previously installed CA.

碩士
國立政治大學
法學院碩士在職專班
107
In recent years, the rise of the blockchain has created a wave of financial technology. With the blockchain technology, new financial products have continuously introduced to the financial market. As the price of virtual currency increase, initial Coin Offering (ICO) has become the new fundraising method. The reason why ICO is favored by new ventures is that the supervisory had no guidelines ICO when it came to the market. New entrepreneurs are rushing to raise funds through the ICO to the public. As the market is full of frauds and speculation, the authorities started to aware that they need to do more. The authorities alerted investors the risks of ICO. However, the warning seemed to be insufficient to stop investors' willingness to invest. The ICO market is still very hot. ICO is similar to Initial Public Offerings (IPOs) in raising funds from public. The different is that investors get tokens instead of stocks in ICO. However, ICO is not regulated that cause supervision loopholes. Some supervision announced that ICO has securities nature should be regulated under the country's securities regulations. Such token issued under the securities laws is called Securities Token Offering (STO). However, the characteristics of ICO are different from IPO, and ICO is complexity and difficult to understand. Traditional securities regulations may not be suitable for STO. Therefore, how to regulate this type of financial instrument is testing the wisdom of the authority. ICO lack transparency, evaluation difficulty, high price volatility and easily manipulation. Its supervision intensity should be higher than traditional IPO. The infrastructure of ICO is blockchain, which is unmodifiable, transactional synchronization and distributed trust. Blockchain used as a financial field, can reduce costs and provide innovative products. It should not be excessively banned to use it. Therefore, suggesting differentiated management allows the issuing company to use the blockchain. Technology issues securities-type tokens, while new entrepreneurs, because of their company's value-added stage, have higher risk attributes, raise funds on the current crowdfunding platform, and impose appropriate restrictions on investor attributes to protect investor rights and maintain finance. In terms of information disclosure, additional requirements, including smart contract, basic technology, token price, acceptable token type, risks, accounting treatments and evaluations are necessary. If the listed company issuing the STO, it should disclose the possible impact on the token issue and influence on the company's shareholders. As for the reporting requirements on STO, are similar to the current IPO, annual reports, quarterly reports and interim reports in the event of special circumstances are needed. Moreover, audit reports on smart contracts and applications related to STO are suggested. Finally, using of blockchain technology can simplize the transaction and settlement process of securities. The authorities should actively consider how to use the technology of blockchain to reshape the role of market participants and achieve smart supervision. The blockchain brings a challenge to the supervision, but it also provides an opportunity. Authorities should be optimistic to build a digital financial market in the future.

Given that phishing is an ever increasing problem, a better authentication system than the current alphanumeric system is needed. Because of the large number of current authentication systems that use alphanumeric passwords, a new solution should be compatible with these systems. We propose a system that uses a graphical password deployed from a Trojan and virus resistant embedded device as a possible solution. The graphical password would require the user to choose a family photo sized to 441x331 pixels. Using this image, a novel, image hash provides an input into a cryptosystem on the embedded device that subsequently returns an encryption key or text password. The graphical password requires the user to click five to eight points on the image. From these click-points, the embedded device stretches the graphical password input to a 32- character, random, unique alphanumeric password or a 256-bit AES key. Each embedded device and image are unique components in the graphical password system. Additionally, one graphical password can generate many 32-character unique, alphanumeric passwords using its embedded device which eliminates the need for the user to memorize many passwords.
Computer Engineering

Biometrics are a field of study with relevant developments in the last decade. Specifically, electrocardiogram (ECG) based biometrics are now deemed a reliable source of identification. One of the major advances in this technology was the improvements in off-the-person authentication, by requiring nothing more than dry electrodes or conductive fabrics to acquire an ECG signal in a non-intrusive way through the user’s hands. However, identification still has a relatively poor performance when using large user databases. In this dissertation we suggest using ECG authentication associated with a smartphone security token in order to improve performance and decrease the time required for the recognition. We develop this technique in a user authentication scenario for a Windows login. We developed our solution using both normal Bluetooth (BT) and Bluetooth Low Energy (BLE) technologies to preserve phone battery; also, we develop apps for Windows Phone and Android, due to limitations detected. Additionally, we took advantage of the Intel Edison’s mobility features to create a more versatile environment. Results proved our solution to be possible. We executed a series of tests, through which we observed an improvement in authentication times when compared to a simple ECG identification scenario. Also, ECG performance in terms of false-negatives and false-positives is also increased.
A biometria é uma área de estudo que observou desenvolvimentos relevantes na última década. Em específico, a biometria baseada no eletrocardiograma (ECG) é atualmente considerada uma fonte de identificação confiável. Um dos maiores avanços nesta tecnologia consiste na evolução da autenticação off-the-person, que permite realizar a aquisição de sinal de forma não intrusiva usando as mãos do utilizador. Contudo, a identificação através deste método ainda apresenta uma performance relativamente baixa quando usada uma base de dados de dimensão acima das dezenas. Nesta dissertação sugerimos usar a autenticação ECG associada a um telemóvel a funcionar como security token com o objectivo de melhorar a performance e diminuir o tempo necessário para o reconhecimento. Para isso, desenvolvemos a nossa solução usando a tecnologia Bluetooth (BL) clássico, mas também Bluetooth Low Energy (BLE) para preservar a bateria do telemóvel; além disto, desenvolvemos as aplicações em Windows Phone e também Android, dadas as limitações que encontrámos. Para criar um ambiente mais versátil e móvel, usámos a recente plataforma Intel Edison. Os resultados obtidos provam que a nossa solução é viável. Executámos uma série de testes, nos quais observámos uma melhoria nos tempos associados à autenticação quando comparados com o cenário clássico de identificação por ECG. Adicionalmente, a performance do ECG no que diz respeito ao número de falsos-negativos e falsos-positivos apresentou também melhoria.

碩士
國立臺灣大學
商學研究所
107
The blockchain is an emerging technology in the world which is creating a new and effective way for companies and people to collaborate. With the blockchain, it is no longer necessary to involve any third party to enable participants to reach consensus and solve trust at a very low cost. Blockchain, like the Internet that emerged in the 20th century, will bring disruptive innovation and change the rules of operation in many industries. The content of this study will focus on Initial Coin Offering and Securities Token Offering, including the introduction of ICO and STO, current status and possible future development of it. I wish this paper can help Taiwanese companies and the public understand blockchain related knowledge well and can become the forerunner of the blockchain industry in the international competition. Finally, sum up the possible drawbacks and failures of the blockchain fundraising, which can make it easier for the public to distinguish the fundraising projects that must fail or even defraud.

M.Sc. (Computer Science)
An increasing number of corporate and government institutions are utilising electronic commerce to provide or improve their services. These new online services are becoming increasingly complex, offering diverse functionality and managing high volumes of personal and confidential data. The protection and confidentiality of such data is imperative but the security mechanisms and the policies governing its security are rarely sufficient. Nonetheless electronic commerce service providers market their services as being “secure” and by doing so they are developing a false sense of security within computer users. Average computer users are aware of security threats like hackers, viruses, Trojans and spyware, but their limited computer knowledge doesn’t allow them to understand, identify or respond to such security threats. A lack of computer knowledge, little experience and gullibility render the average computer user incapable of managing computer security. This is even more true when the average computer user is put up against the wit and cunning of a hacker. Electronic commerce has changed, the threats have changed, the users have changed and electronic commerce security solutions remain the same. Hackers are no longer hobbyists: they hack for financial gain and not fame, they work together and they exploit any security weakness to get what they want. More and more often the average computer user falls victim to hacker attacks, not only because of the above mentioned human factors but also because of weak security mechanisms that govern users’ access to critical online services.

This project describes an authentication technique that is shoulder-surfing resistant. Shoulder surfing is an attack in which an attacker can get access to private information by observing the user’s interaction with a terminal, or by using recording tools to record the user interaction and study the obtained data, with the objective of obtaining unauthorized access to a target user’s personal information. The technique described here relies on gestural analysis coupled with a secondary channel of authentication that uses button pressing. The thesis presents and evaluates multiple alternative algorithms for gesture analysis, and furthermore assesses the effectiveness of the technique.
Universidade da Madeira