References of "Genç, Ziya Alper 50024603"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailA Security Analysis, and a Fix, of a Code-Corrupted Honeywords System
Genç, Ziya Alper UL; Lenzini, Gabriele UL; Ryan, Peter UL et al

in Proceedings of the 4th International Conference on Information Systems Security and Privacy (2018)

In 2013 Juels and Rivest introduced the Honeywords System, a password-based authentication system designed to detect when a password file has been stolen. A Honeywords System stores passwords together ... [more ▼]

In 2013 Juels and Rivest introduced the Honeywords System, a password-based authentication system designed to detect when a password file has been stolen. A Honeywords System stores passwords together with indistinguishable decoy words so when an intruder steals the file, retrieves the words, and tries to log-in, he does not know which one is the password. By guessing one from the decoy words, he may not be lucky and reveal the leak. Juels and Rivest left a problem open: how to make the system secure even when the intruder corrupted the login server’s code. In this paper we study and solve the problem. However, since “code corruption” is a powerful attack, we first define rigorously the threat and set a few assumptions under which the problem is still solvable, before showing meaningful attacks against the original Honeywords System. Then we elicit a fundamental security requirement, implementing which, we are able to restore the honeywords System’s security despite a corrupted login service. We verify the new protocol’s security formally, using ProVerif for this task. We also implement the protocol and test its performance. Finally, at the light of our findings, we discuss whether it is still worth using a fixed honeywords-based system against such a powerful threat, or whether it is better, in order to be resilient against code corruption attacks, to design afresh a completely different password-based authentication solution. [less ▲]

Detailed reference viewed: 53 (11 UL)
Full Text
Peer Reviewed
See detailExamination of a New Defense Mechanism: Honeywords
Genç, Ziya Alper UL; Kardaş, Süleyman; Kiraz,

in Proceedings of the 11th WISTP International Conference on Information Security Theory and Practice (2017)

Past experiences show us that password breach is still one of the main methods of attackers to obtain personal or sensitive user data. Basically, assuming they have access to list of hashed passwords ... [more ▼]

Past experiences show us that password breach is still one of the main methods of attackers to obtain personal or sensitive user data. Basically, assuming they have access to list of hashed passwords, they apply guessing attacks, i.e., attempt to guess a password by trying a large number of possibilities. We certainly need to change our way of thinking and use a novel and creative approach in order to protect our passwords. In fact, there are already novel attempts to provide password protection. The Honeywords system of Juels and Rivest is one of them which provides a detection mechanism for password breaches. Roughly speaking, they propose a method for password-based authentication systems where fake passwords, i.e., "honeywords" are added into a password file, in order to detect impersonation. Their solution includes an auxiliary secure server called "honeychecker" which can distinguish a user's real password among her honeywords and immediately sets off an alarm whenever a honeyword is used. However, they also pointed out that their system needs to be improved in various ways by highlighting some open problems. In this paper, after revisiting the security of their proposal, we specifically focus on and aim to solve a highlighted open problem, i.e., active attacks where the adversary modifies the code running on either the login server or the honeychecker. [less ▲]

Detailed reference viewed: 17 (0 UL)
Full Text
Peer Reviewed
See detailSecurity attacks and enhancements to chaotic map-based RFID authentication protocols
Kardaş, Süleyman; Genç, Ziya Alper UL

in Wireless Personal Communications (2017)

Radio frequency identification (RFID) technology has been increasingly integrated into numerous applications for authentication of objects or individuals. However, because of its limited computation power ... [more ▼]

Radio frequency identification (RFID) technology has been increasingly integrated into numerous applications for authentication of objects or individuals. However, because of its limited computation power, RFID technology may cause several security and privacy issues such as tracking the owner of the tag, cloning of the tags and etc. Recently, two chaotic map-based authentication protocols have been proposed for low-cost RFID tags in order to eliminate these issues. In this paper, we give the security analysis of these protocols and uncover their weaknesses. We prove that these protocols are vulnerable to tag tracing, tag impersonation and desynchronization attacks. The attack complexity of an adversary is polynomial and the success probability of these attacks are substantial. Moreover, we also propose an improved RFID authentication protocol that employs Chebyshev chaotic maps and complies with the EPC global Class 1 Generation 2 standard. Finally, we show that our protocol is resistant against those security issues. [less ▲]

Detailed reference viewed: 16 (1 UL)
Full Text
Peer Reviewed
See detailThe Cipher, the Random and the Ransom: A Survey on Current and Future Ransomware
Genç, Ziya Alper UL; Lenzini, Gabriele UL; Ryan, Peter UL

in Advances in Cybersecurity 2017 (2017)

Although conceptually not new, ransomware recently regained attraction in the cybersecurity community: notorious attacks in fact have caused serious damage, proving their disruptive effect. This is likely ... [more ▼]

Although conceptually not new, ransomware recently regained attraction in the cybersecurity community: notorious attacks in fact have caused serious damage, proving their disruptive effect. This is likely just the beginning of a new era. According to a recent intelligence report by Cybersecurity Ventures, the total cost due to ransomware attacks is predicted to exceed $5 billion in 2017. How can this disruptive threat can be contained? Current anti-ransomware solutions are effective only against existing threats, and the worst is yet to come. Cyber criminals will design and deploy more sophisticated strategies, overcoming current defenses and, as it commonly happens in security, defenders and attackers will embrace a competition that will never end. In this arm race, anticipating how current ransomware will evolve may help at least being prepared for some future damage. In this paper, we describe existing techniques to mitigate ransomware and we discuss their limitations. Discussing how current ransomware could become even more disruptive and elusive is crucial to conceive more solid defense and systems that can mitigate zero-day ransomware, yielding higher security levels for information systems, including critical infrastructures such as intelligent transportation networks and health institutions. [less ▲]

Detailed reference viewed: 160 (10 UL)
Full Text
Peer Reviewed
See detailSecurity and Efficiency Analysis of the Hamming Distance Computation Protocol Based on Oblivious Transfer
Kiraz, Mehmet Sabır; Genç, Ziya Alper UL; Kardaş, Süleyman

in Security and Communication Networks (2015), 8(18), 4123-4135

Bringer et al. proposed two cryptographic protocols for the computation of Hamming distance. Their first scheme uses Oblivious Transfer and provides security in the semi-honest model. The other scheme ... [more ▼]

Bringer et al. proposed two cryptographic protocols for the computation of Hamming distance. Their first scheme uses Oblivious Transfer and provides security in the semi-honest model. The other scheme uses Committed Oblivious Transfer and is claimed to provide full security in the malicious case. The proposed protocols have direct implications to biometric authentication schemes between a prover and a verifier where the verifier has biometric data of the users in plain form. In this paper, we show that their protocol is not actually fully secure against malicious adversaries. More precisely, our attack breaks the soundness property of their protocol where a malicious user can compute a Hamming distance which is different from the actual value. For biometric authentication systems, this attack allows a malicious adversary to pass the authentication without knowledge of the honest user’s input with at most O(n) complexity instead of O(2n), where n is the input length. We propose an enhanced version of their protocol where this attack is eliminated. The security of our modified protocol is proven using the simulation-based paradigm. Furthermore, as for efficiency concerns, the modified protocol utilizes Verifiable Oblivious Transfer which does not require the commitments to outputs which improves its efficiency significantly. [less ▲]

Detailed reference viewed: 30 (6 UL)