Password has been the most used authentication system these days. However, strong passwords are hard to remember and unique to every account. Unfortunately, even with the strongest passwords, password authentication system can still be breached by some kind of attacks. 2FYSH is two tokens-based authentication protocol designed to replace the password authentication entirely. The two tokens are a mobile phone and an NFC card. By utilizing mobile phones as one of the tokens, 2FYSH is offering third layer of security for users that lock their phone with some kind of security. 2FYSH is secure since it uses public and private key along with challenge-response protocol. 2FYSH protects the user from usual password attacks such as man-in-the-middle attack, phishing, eavesdropping, brute forcing, shoulder surfing, key logging, and verifier leaking. The secure design of 2FYSH has made 90% of the usability test participants to prefer 2FYSH for securing their sensitive information. This fact makes 2FYSH best applied to secure sensitive data needs such as bank accounts and corporate secrets.
38 9145 it nfc secured offline password storage (edit lafi)IAESIJEECS
In this paper is all about constructing a device called “One-WORD” that aims to solve this problem. One-word is an offline password keeper aimed at saving and encrypting the passwords in a more secure manner. The main device contains the encrypted passwords while a secure NFC smartcard and a personal pin-code allows the decryption. Even if an attacker is able to get hold the smartcard, or the device it is completely useless without the personal code.
The document describes a proposed system called a Configurable Intelligent Secures - 3FA Smart Lock. The system uses a three-factor authentication model with RFID, PIN, and OTP (one-time password) to provide secure access to a door lock. It uses low-cost hardware like a Raspberry Pi, touchscreen, RFID reader, electric strike, and relay module. The system is designed to be highly secure due to the three-factor authentication and configurable third factor. It also records logs of all access attempts to the lock for security monitoring.
A Survey on Communication for SmartphoneEditor IJMTER
Nowadays security and privacy issues are getting more and more important for people using state of the art communication tools like mobile smartphones or internet.As the power and feature of smartphones increases,so has their vulnerability.By using short range wireless
communication smartphones communicates each other.But the data confidentiality is not guaranteed.In bar code and Near Field Communication enabled devices the smartphones exchange information by simple touch.The main drawback of Near Field Communication and bar code systems is the vulnerable nature to attack since they are using key exchange then encrypt techniques.In the smartphones with android platform,it is possible to provide security against all the
attacks by securely exchanging message or data with-out using key exchange protocol. PriWhisper is an technique that enables key less secure acoustic communication for smartphones and provides better security as well as data confidentiality.
Bluetooth smart (also known as Bluetooth low energy or BLE) is introduced in the legacy Bluetooth 4.0 specification by Bluetooth special interest group. Bluetooth smart is primarily designed for low power embedded devices with limited computation capabilities. With expeditious growth in the IoT technology, BLE has become substantiate criterion for the smart devices.
Bluetooth specification supports the asymmetrical architecture of the LE devices. Memory and processing power requirements of peripheral devices are much lower than the central. This will be a great advantage in case of single mode - peripheral only devices. Device that acts always as peripheral can be designed with low memory, longer battery life and low power consumption. Low power smart wearable devices available in market such as heart rate monitors, blood pressure monitors, fitness kit, smart watches etc run on a small coin cell battery for years.
The document proposes two visual authentication protocols that aim to resist keylogging attacks:
1) A password-based protocol where the server encrypts a random OTP for the user to decrypt and enter on their terminal.
2) A protocol where the server randomizes a keyboard layout and encrypts it for the user to view on their phone to enter their password on the terminal's blank keyboard.
The protocols aim to prevent keyloggers by removing the need for users to type passwords or view decrypted content on compromised terminals. Security analyses argue the protocols would be resistant to keylogging and malware by distributing tasks between devices and users.
The document proposes a virtual password system to improve security for online banking transactions. In the proposed system, a mobile application is used to generate one-time virtual passwords based on a permanent PIN number and random number, removing the vulnerabilities of password delivery via SMS. This virtual password system aims to enhance security by making password guessing and hacking techniques like phishing and keylogging more difficult to exploit.
This document summarizes a research paper that proposes a method for implementing two-factor authentication using mobile devices. The method uses time synchronous authentication based on hashing the current epoch time, a personal identification number, and a secret initialization value. This generates a one-time password on the mobile device that is valid for 60 seconds. The proposed method was implemented on J2ME-based mobile phones and could be extended to Android phones. It aims to provide stronger authentication than passwords alone in a manner that is portable and compatible with mobile devices.
IRJET- Two Way Authentication for Banking SystemsIRJET Journal
This document summarizes a research paper that proposes a two-factor authentication system for banking using QR codes and IMEI numbers. The proposed system aims to improve security over traditional OTP-based systems by generating a unique QR code during each login attempt. This QR code contains an encrypted string with a random number, the user's public key, and their IMEI number. Users can scan the QR code with their registered mobile device to log in. If the information in the QR code decrypts and matches the user's credentials in the database, then login is successful. The goal is to provide easy and secure authentication without needing to remember passwords.
38 9145 it nfc secured offline password storage (edit lafi)IAESIJEECS
In this paper is all about constructing a device called “One-WORD” that aims to solve this problem. One-word is an offline password keeper aimed at saving and encrypting the passwords in a more secure manner. The main device contains the encrypted passwords while a secure NFC smartcard and a personal pin-code allows the decryption. Even if an attacker is able to get hold the smartcard, or the device it is completely useless without the personal code.
The document describes a proposed system called a Configurable Intelligent Secures - 3FA Smart Lock. The system uses a three-factor authentication model with RFID, PIN, and OTP (one-time password) to provide secure access to a door lock. It uses low-cost hardware like a Raspberry Pi, touchscreen, RFID reader, electric strike, and relay module. The system is designed to be highly secure due to the three-factor authentication and configurable third factor. It also records logs of all access attempts to the lock for security monitoring.
A Survey on Communication for SmartphoneEditor IJMTER
Nowadays security and privacy issues are getting more and more important for people using state of the art communication tools like mobile smartphones or internet.As the power and feature of smartphones increases,so has their vulnerability.By using short range wireless
communication smartphones communicates each other.But the data confidentiality is not guaranteed.In bar code and Near Field Communication enabled devices the smartphones exchange information by simple touch.The main drawback of Near Field Communication and bar code systems is the vulnerable nature to attack since they are using key exchange then encrypt techniques.In the smartphones with android platform,it is possible to provide security against all the
attacks by securely exchanging message or data with-out using key exchange protocol. PriWhisper is an technique that enables key less secure acoustic communication for smartphones and provides better security as well as data confidentiality.
Bluetooth smart (also known as Bluetooth low energy or BLE) is introduced in the legacy Bluetooth 4.0 specification by Bluetooth special interest group. Bluetooth smart is primarily designed for low power embedded devices with limited computation capabilities. With expeditious growth in the IoT technology, BLE has become substantiate criterion for the smart devices.
Bluetooth specification supports the asymmetrical architecture of the LE devices. Memory and processing power requirements of peripheral devices are much lower than the central. This will be a great advantage in case of single mode - peripheral only devices. Device that acts always as peripheral can be designed with low memory, longer battery life and low power consumption. Low power smart wearable devices available in market such as heart rate monitors, blood pressure monitors, fitness kit, smart watches etc run on a small coin cell battery for years.
The document proposes two visual authentication protocols that aim to resist keylogging attacks:
1) A password-based protocol where the server encrypts a random OTP for the user to decrypt and enter on their terminal.
2) A protocol where the server randomizes a keyboard layout and encrypts it for the user to view on their phone to enter their password on the terminal's blank keyboard.
The protocols aim to prevent keyloggers by removing the need for users to type passwords or view decrypted content on compromised terminals. Security analyses argue the protocols would be resistant to keylogging and malware by distributing tasks between devices and users.
The document proposes a virtual password system to improve security for online banking transactions. In the proposed system, a mobile application is used to generate one-time virtual passwords based on a permanent PIN number and random number, removing the vulnerabilities of password delivery via SMS. This virtual password system aims to enhance security by making password guessing and hacking techniques like phishing and keylogging more difficult to exploit.
This document summarizes a research paper that proposes a method for implementing two-factor authentication using mobile devices. The method uses time synchronous authentication based on hashing the current epoch time, a personal identification number, and a secret initialization value. This generates a one-time password on the mobile device that is valid for 60 seconds. The proposed method was implemented on J2ME-based mobile phones and could be extended to Android phones. It aims to provide stronger authentication than passwords alone in a manner that is portable and compatible with mobile devices.
IRJET- Two Way Authentication for Banking SystemsIRJET Journal
This document summarizes a research paper that proposes a two-factor authentication system for banking using QR codes and IMEI numbers. The proposed system aims to improve security over traditional OTP-based systems by generating a unique QR code during each login attempt. This QR code contains an encrypted string with a random number, the user's public key, and their IMEI number. Users can scan the QR code with their registered mobile device to log in. If the information in the QR code decrypts and matches the user's credentials in the database, then login is successful. The goal is to provide easy and secure authentication without needing to remember passwords.
Camera based attack detection and prevention tech niques on android mobile ph...eSAT Journals
Abstract Mobile phone security has become an important aspect of security issues in wireless multimedia communications. In this paper, we focus on security issues related to mobile phone cameras. Specifically, we discover several new attacks that are based on the use of phone cameras. We implement the attacks on real phones, and demonstrate the feasibility and effectiveness of the attacks. Furthermore, we propose a lightweight defense scheme that can effectively detect these attacks. In this paper, we are going to develop an Android application such that when a user loses his/her phone, the spy camera could be launched via remote control and capture what the thief looks like as well as the surrounding environment. Then the pictures or videos along with location information (GPS coordinates) can be sent back to the device owner so that the owner can pinpoint the thief and get the phone back. We conduct a survey on the threats and benefits of spy cameras. Then we present the basic attack model and two camera based attacks: the remote- controlled real time monitoring attack and the pass code inference attack. We run these attacks along with popular antivirus software to test their stealthiness, and conduct experiment to evaluate both types of attack. Keywords: Passcode inference, limbus, eye tracking, remote controlled
This document provides an overview of Android hacking. It begins by introducing Android and defining Android hacking as any technical effort to manipulate the normal behavior of an Android operating system. It then discusses some common Android hacking applications and threats, including data interception, third-party app vulnerabilities, and malware like viruses, SMS trojans, and rootkits. The document also covers hacking Bluetooth-enabled Android devices and outlines steps to better protect devices. Finally, it provides a brief introduction to India's Information Technology Act of 2000 and how cybercriminals operate.
Color Code PIN Authentication System Using Multi-TouchTechnologyIRJET Journal
This document summarizes a research paper that proposes using color codes instead of numbers for PIN entry on mobile devices to increase security against shoulder surfing attacks. The system generates a random arrangement of four colors for the user to select for each digit of their PIN. Attackers would have a difficult time determining the PIN since they don't know the color mapping. The paper also describes using patterns like dots or stripes to help visually impaired users. It analyzes related work on improving PIN security and discusses evaluation results showing the color code method prevents easy observation of PIN entry.
Android HCE: An intro into the world of NFCNFC Forum
NFC allows short-range wireless communication between devices like phones and readers. With host card emulation (HCE), Android phones can emulate smart cards without a secure element by allowing apps to register application identifiers (AIDs) and process commands from NFC readers. HCE enables new use cases for NFC like payments, loyalty programs, and building access by acting as both a card and reader.
The document discusses using sensors such as accelerometers, gyroscopes, and ambient light sensors in Windows applications through either COM interfaces from C++ or the WinRT API from C# and C++/CX. It provides code examples for connecting to sensors, subscribing to sensor events, and retrieving sensor data on things like acceleration, orientation, and ambient light levels. Considerations for efficiency when using sensors in applications are also mentioned.
The TILE is a Bluetooth tracking device that attaches to valuables to help locate them if lost. It works by connecting to a smartphone app, which uses Bluetooth to locate the TILE within 100 feet and location services to track its wider movements. However, this constant tracking raises privacy and security concerns, as it could reveal a user's patterns of life. While the device aims to help find lost items, its functionality depends on the security of its own servers and sensitive user data they contain.
This document discusses a proposed five-factor authentication scheme for secure banking transactions. The five factors are RFID card, PIN number, fingerprint, one-time password (OTP), and keypad ID. During registration, users provide fingerprints and other information that is stored. For login, the user submits their RFID card, PIN, and fingerprint. If the fingerprint exactly matches, the transaction is allowed. If not, an OTP is sent to the user's phone for verification along with keypad ID before allowing the transaction. The scheme aims to improve security over three-factor authentication while protecting user privacy.
Sbvlc secure barcode based visible light communication for smartphonesLeMeniz Infotech
This document summarizes a research paper that proposes SBVLC, a secure system for barcode-based visible light communication between smartphones. It analyzes the security of transmitting barcode streams between device screens and cameras. Three secure data exchange schemes are developed to encode information in barcode streams. The system achieves high security and throughput comparable to NFC. It can enable private information sharing, secure device pairing and contactless payments. Rigorous geometric models were used to examine the system's security, making it the first work to formally study security of VLC and barcode communication between smartphones.
Sbvlc secure barcode based visible light communication for smartphonesLeMeniz Infotech
Sbvlc secure barcode based visible light communication for smartphones
Do Your Projects With Technology Experts
To Get this projects Call : 9566355386 / 99625 88976
Web : http://www.lemenizinfotech.com
Web : http://www.ieeemaster.com
Mail : projects@lemenizinfotech.com
Blog : http://ieeeprojectspondicherry.weebly.com
Blog : http://www.ieeeprojectsinpondicherry.blogspot.in/
Youtube:https://www.youtube.com/watch?v=eesBNUnKvws
The Google Nexus S offers support for Near Field Communication (NFC), an extension to an RFID smart card protocol popularly used for secure access, metro passes (Oyster/Clipper), and electronic money (FeliCa/Octopus). NFC in smartphones promises adding these features to the phone you carry by allowing the it to emulate both RFID tag and reader.
NFC additionally adds new capabilities like exchanging configuration data such as WiFi settings, trading vCard contact information, reading URLs, triggering SMS text messages or initiating calls, and secure bi-directional communication between NFC devices.
This session will cover what NFC and RFID is and is not, what Android on the Nexus S is currently capable of, and some examples of how to add NFC to your apps.
http://where2conf.com/where2011/public/schedule/detail/18443
The document outlines an electronic access control workshop focusing on attacking NFC and RF-based systems. It discusses the history and components of access control systems, including tokens, readers, controllers and backends. Specific NFC card technologies like MIFARE Classic, MIFARE Ultralight and HID iClass are examined, noting many have been broken or have shared encryption keys. The document then proposes a methodology for penetration testing NFC access systems and reviews tools like HydraNFC, ProxMark3 and ChameleonMini that can emulate NFC cards or sniff RF transmissions.
The document discusses smartcards and RFID tags, explaining that they provide more secure authentication than passwords but are still vulnerable to hacking through logical attacks targeting flaws in cryptographic algorithms, key management, or security protocols, or through physical attacks manipulating the hardware. It also provides examples of attacks that have broken proprietary crypto systems in smartcards and weaknesses like default keys that have enabled attacks on key management.
This document provides an overview of Windows 8 platform NFC development. It introduces the Windows proximity APIs for connecting devices, exchanging digital objects, and acquiring content from NFC tags and other devices. It covers subscribing to and publishing messages, reading and writing NDEF formatted tags, launching apps from tags, and establishing peer-to-peer connections between devices using NFC as a trigger. The document is intended to help developers get started with building NFC-enabled apps for Windows 8 and Windows Phone 8.
The Security Challenges of The Rhythmprint Authentication IJECEIAES
The Rhythmprint authentication combines an advantage of the traditional keystroke authentication and the multi-touch technology based on a touchable device such as touchpad on a laptop, a smartphone and a tablet. With the Rhythmprint authentication, the user is less likely to suffer from shoulder surfing and eavesdropping attacks. This research provides empirical evidence to verify the security performance of the Rhythmprint authentication comparing to the traditional keystroke authentication for shoulder surfing and eavesdropping attacks, when the user tries to login to a website on a laptop for 10 times in a public place while the attacker stands behind. The experimental result s show that t he Rhythmprint authentication provides higher security than the traditional keystroke authentication in both shoulder surfing and eavesdropping attacks.
Askozia VoIP Security white paper - 2017, EnglishAskozia
Voice-over-IP (VoIP) provides many new features over PSTN. However, the interconnection with your IT infrastructure also carries risks affecting the security and integrity of your IP services. As IT networks are targeted by attackers, insufficient prevention can endanger not only your network but your telecommunication infrastructure that is build on top of it. This paper aims to educate about possible risks, common attacks and how to prevent them from being successful.
Two Factor Authentication Using Smartphone Generated One Time PasswordIOSR Journals
This document proposes a two-factor authentication system that uses smartphones to generate one-time passwords (OTPs). It aims to improve security over traditional password-based systems while reducing costs compared to hardware token-based OTP systems. The proposed system would have client software on PCs and Android apps to generate OTPs using cryptographic algorithms and unique device identifiers. OTPs would be validated by the server to authenticate transactions. Future work could explore using images instead of OTPs for two-factor authentication via mobile apps.
Remote Phone Access is the eventual remote control tool for the Android Smartphones event access. The events like application actions such as your phone may unlock when you are away and remove the stor-age drive card on your Smartphone or making Blue-tooth on for sending the any kind of personal data from your Smartphone etc. Trust event logger will give you the information of all these actions of what happened and when. To perform all these operations manually, it takes more time to access the device information and also the physical presence of user is needed. To overcome these problems we represent an application called “Trust Event Logger”.
Analysis of Applicability of ISO 9564 PIN based Authentication to Closed-Loop...Eswar Publications
Payment transactions initiated through a mobile device are growing and security concerns must be addressed. People
coming from payment card industry often talk passionately about porting ISO 9564 PIN standard based authentication
in open-loop card payment to closed-loop mobile financial transactions and certification of closed-loop payment product or solution against this standard. In reality, so far this standard has not been adopted in closed-loop mobile payment authentication and applicability of this ISO standard must be studied carefully before adoption. The authors do a critical analysis of the applicability of this ISO specification and make categorical statement about relevance of compliance to closed-loop mobile payment. Security requirements for authentication in closed-loop mobile payment systems are not standardised through ISO 9564 standard, Common Criteria [3], etc. Since closed-loop mobile payment is a relatively new field, the authors make a case for Common Criteria Recognition Agreement (CCRA) or other standards organization to push for publication of a mobile device-agnostic Protection Profile or standard for it, incorporating the suggested authentication approaches.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
This document discusses a new manual authentication technology that uses human trust and interactions to authenticate users instead of passwords, keys, or third parties. It describes a new digest function with a short output of 16-20 bits that allows electronic devices to authenticate data by having their human owners manually compare the digest. The document outlines authentication protocols designed around this concept that do not rely on passwords or keys and maximize security relative to the amount of human work. It also discusses developing new efficient digest algorithms that could take advantage of microprocessor word-level instructions and be generalized to longer outputs.
Multi Factor Authentication Whitepaper Arx - Intellect DesignRajat Jain
The document discusses multifactor authentication solutions from ARX to provide secure access in a work from home environment due to COVID-19. It summarizes the business challenges of passwords being vulnerable to theft and the need for authentication beyond passwords. It then describes ARX's multifactor authentication solution which provides various authentication factors like one-time passwords, soft/hardware tokens, biometrics, and risk-based authentication. It offers centralized policy management and integration with third-party multifactor solutions. ARX provides an advanced multifactor authentication solution for both security and usability for users and administrators.
Camera based attack detection and prevention tech niques on android mobile ph...eSAT Journals
Abstract Mobile phone security has become an important aspect of security issues in wireless multimedia communications. In this paper, we focus on security issues related to mobile phone cameras. Specifically, we discover several new attacks that are based on the use of phone cameras. We implement the attacks on real phones, and demonstrate the feasibility and effectiveness of the attacks. Furthermore, we propose a lightweight defense scheme that can effectively detect these attacks. In this paper, we are going to develop an Android application such that when a user loses his/her phone, the spy camera could be launched via remote control and capture what the thief looks like as well as the surrounding environment. Then the pictures or videos along with location information (GPS coordinates) can be sent back to the device owner so that the owner can pinpoint the thief and get the phone back. We conduct a survey on the threats and benefits of spy cameras. Then we present the basic attack model and two camera based attacks: the remote- controlled real time monitoring attack and the pass code inference attack. We run these attacks along with popular antivirus software to test their stealthiness, and conduct experiment to evaluate both types of attack. Keywords: Passcode inference, limbus, eye tracking, remote controlled
This document provides an overview of Android hacking. It begins by introducing Android and defining Android hacking as any technical effort to manipulate the normal behavior of an Android operating system. It then discusses some common Android hacking applications and threats, including data interception, third-party app vulnerabilities, and malware like viruses, SMS trojans, and rootkits. The document also covers hacking Bluetooth-enabled Android devices and outlines steps to better protect devices. Finally, it provides a brief introduction to India's Information Technology Act of 2000 and how cybercriminals operate.
Color Code PIN Authentication System Using Multi-TouchTechnologyIRJET Journal
This document summarizes a research paper that proposes using color codes instead of numbers for PIN entry on mobile devices to increase security against shoulder surfing attacks. The system generates a random arrangement of four colors for the user to select for each digit of their PIN. Attackers would have a difficult time determining the PIN since they don't know the color mapping. The paper also describes using patterns like dots or stripes to help visually impaired users. It analyzes related work on improving PIN security and discusses evaluation results showing the color code method prevents easy observation of PIN entry.
Android HCE: An intro into the world of NFCNFC Forum
NFC allows short-range wireless communication between devices like phones and readers. With host card emulation (HCE), Android phones can emulate smart cards without a secure element by allowing apps to register application identifiers (AIDs) and process commands from NFC readers. HCE enables new use cases for NFC like payments, loyalty programs, and building access by acting as both a card and reader.
The document discusses using sensors such as accelerometers, gyroscopes, and ambient light sensors in Windows applications through either COM interfaces from C++ or the WinRT API from C# and C++/CX. It provides code examples for connecting to sensors, subscribing to sensor events, and retrieving sensor data on things like acceleration, orientation, and ambient light levels. Considerations for efficiency when using sensors in applications are also mentioned.
The TILE is a Bluetooth tracking device that attaches to valuables to help locate them if lost. It works by connecting to a smartphone app, which uses Bluetooth to locate the TILE within 100 feet and location services to track its wider movements. However, this constant tracking raises privacy and security concerns, as it could reveal a user's patterns of life. While the device aims to help find lost items, its functionality depends on the security of its own servers and sensitive user data they contain.
This document discusses a proposed five-factor authentication scheme for secure banking transactions. The five factors are RFID card, PIN number, fingerprint, one-time password (OTP), and keypad ID. During registration, users provide fingerprints and other information that is stored. For login, the user submits their RFID card, PIN, and fingerprint. If the fingerprint exactly matches, the transaction is allowed. If not, an OTP is sent to the user's phone for verification along with keypad ID before allowing the transaction. The scheme aims to improve security over three-factor authentication while protecting user privacy.
Sbvlc secure barcode based visible light communication for smartphonesLeMeniz Infotech
This document summarizes a research paper that proposes SBVLC, a secure system for barcode-based visible light communication between smartphones. It analyzes the security of transmitting barcode streams between device screens and cameras. Three secure data exchange schemes are developed to encode information in barcode streams. The system achieves high security and throughput comparable to NFC. It can enable private information sharing, secure device pairing and contactless payments. Rigorous geometric models were used to examine the system's security, making it the first work to formally study security of VLC and barcode communication between smartphones.
Sbvlc secure barcode based visible light communication for smartphonesLeMeniz Infotech
Sbvlc secure barcode based visible light communication for smartphones
Do Your Projects With Technology Experts
To Get this projects Call : 9566355386 / 99625 88976
Web : http://www.lemenizinfotech.com
Web : http://www.ieeemaster.com
Mail : projects@lemenizinfotech.com
Blog : http://ieeeprojectspondicherry.weebly.com
Blog : http://www.ieeeprojectsinpondicherry.blogspot.in/
Youtube:https://www.youtube.com/watch?v=eesBNUnKvws
The Google Nexus S offers support for Near Field Communication (NFC), an extension to an RFID smart card protocol popularly used for secure access, metro passes (Oyster/Clipper), and electronic money (FeliCa/Octopus). NFC in smartphones promises adding these features to the phone you carry by allowing the it to emulate both RFID tag and reader.
NFC additionally adds new capabilities like exchanging configuration data such as WiFi settings, trading vCard contact information, reading URLs, triggering SMS text messages or initiating calls, and secure bi-directional communication between NFC devices.
This session will cover what NFC and RFID is and is not, what Android on the Nexus S is currently capable of, and some examples of how to add NFC to your apps.
http://where2conf.com/where2011/public/schedule/detail/18443
The document outlines an electronic access control workshop focusing on attacking NFC and RF-based systems. It discusses the history and components of access control systems, including tokens, readers, controllers and backends. Specific NFC card technologies like MIFARE Classic, MIFARE Ultralight and HID iClass are examined, noting many have been broken or have shared encryption keys. The document then proposes a methodology for penetration testing NFC access systems and reviews tools like HydraNFC, ProxMark3 and ChameleonMini that can emulate NFC cards or sniff RF transmissions.
The document discusses smartcards and RFID tags, explaining that they provide more secure authentication than passwords but are still vulnerable to hacking through logical attacks targeting flaws in cryptographic algorithms, key management, or security protocols, or through physical attacks manipulating the hardware. It also provides examples of attacks that have broken proprietary crypto systems in smartcards and weaknesses like default keys that have enabled attacks on key management.
This document provides an overview of Windows 8 platform NFC development. It introduces the Windows proximity APIs for connecting devices, exchanging digital objects, and acquiring content from NFC tags and other devices. It covers subscribing to and publishing messages, reading and writing NDEF formatted tags, launching apps from tags, and establishing peer-to-peer connections between devices using NFC as a trigger. The document is intended to help developers get started with building NFC-enabled apps for Windows 8 and Windows Phone 8.
The Security Challenges of The Rhythmprint Authentication IJECEIAES
The Rhythmprint authentication combines an advantage of the traditional keystroke authentication and the multi-touch technology based on a touchable device such as touchpad on a laptop, a smartphone and a tablet. With the Rhythmprint authentication, the user is less likely to suffer from shoulder surfing and eavesdropping attacks. This research provides empirical evidence to verify the security performance of the Rhythmprint authentication comparing to the traditional keystroke authentication for shoulder surfing and eavesdropping attacks, when the user tries to login to a website on a laptop for 10 times in a public place while the attacker stands behind. The experimental result s show that t he Rhythmprint authentication provides higher security than the traditional keystroke authentication in both shoulder surfing and eavesdropping attacks.
Askozia VoIP Security white paper - 2017, EnglishAskozia
Voice-over-IP (VoIP) provides many new features over PSTN. However, the interconnection with your IT infrastructure also carries risks affecting the security and integrity of your IP services. As IT networks are targeted by attackers, insufficient prevention can endanger not only your network but your telecommunication infrastructure that is build on top of it. This paper aims to educate about possible risks, common attacks and how to prevent them from being successful.
Two Factor Authentication Using Smartphone Generated One Time PasswordIOSR Journals
This document proposes a two-factor authentication system that uses smartphones to generate one-time passwords (OTPs). It aims to improve security over traditional password-based systems while reducing costs compared to hardware token-based OTP systems. The proposed system would have client software on PCs and Android apps to generate OTPs using cryptographic algorithms and unique device identifiers. OTPs would be validated by the server to authenticate transactions. Future work could explore using images instead of OTPs for two-factor authentication via mobile apps.
Remote Phone Access is the eventual remote control tool for the Android Smartphones event access. The events like application actions such as your phone may unlock when you are away and remove the stor-age drive card on your Smartphone or making Blue-tooth on for sending the any kind of personal data from your Smartphone etc. Trust event logger will give you the information of all these actions of what happened and when. To perform all these operations manually, it takes more time to access the device information and also the physical presence of user is needed. To overcome these problems we represent an application called “Trust Event Logger”.
Analysis of Applicability of ISO 9564 PIN based Authentication to Closed-Loop...Eswar Publications
Payment transactions initiated through a mobile device are growing and security concerns must be addressed. People
coming from payment card industry often talk passionately about porting ISO 9564 PIN standard based authentication
in open-loop card payment to closed-loop mobile financial transactions and certification of closed-loop payment product or solution against this standard. In reality, so far this standard has not been adopted in closed-loop mobile payment authentication and applicability of this ISO standard must be studied carefully before adoption. The authors do a critical analysis of the applicability of this ISO specification and make categorical statement about relevance of compliance to closed-loop mobile payment. Security requirements for authentication in closed-loop mobile payment systems are not standardised through ISO 9564 standard, Common Criteria [3], etc. Since closed-loop mobile payment is a relatively new field, the authors make a case for Common Criteria Recognition Agreement (CCRA) or other standards organization to push for publication of a mobile device-agnostic Protection Profile or standard for it, incorporating the suggested authentication approaches.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
This document discusses a new manual authentication technology that uses human trust and interactions to authenticate users instead of passwords, keys, or third parties. It describes a new digest function with a short output of 16-20 bits that allows electronic devices to authenticate data by having their human owners manually compare the digest. The document outlines authentication protocols designed around this concept that do not rely on passwords or keys and maximize security relative to the amount of human work. It also discusses developing new efficient digest algorithms that could take advantage of microprocessor word-level instructions and be generalized to longer outputs.
Multi Factor Authentication Whitepaper Arx - Intellect DesignRajat Jain
The document discusses multifactor authentication solutions from ARX to provide secure access in a work from home environment due to COVID-19. It summarizes the business challenges of passwords being vulnerable to theft and the need for authentication beyond passwords. It then describes ARX's multifactor authentication solution which provides various authentication factors like one-time passwords, soft/hardware tokens, biometrics, and risk-based authentication. It offers centralized policy management and integration with third-party multifactor solutions. ARX provides an advanced multifactor authentication solution for both security and usability for users and administrators.
A Review Study on Secure Authentication in Mobile SystemEditor IJCATR
This document summarizes authentication techniques for mobile systems. It discusses single-factor and multi-factor authentication using passwords, tokens, and biometrics. It also reviews RFID authentication protocols like SRAC and ASRAC for secure and low-cost RFID systems. Public key cryptography models using elliptic curve cryptography are proposed for mobile security. Secure authentication provides benefits like protection, scalability, speed, and availability for mobile enterprises. Both encryption and authentication are needed but encryption requires more processing resources so should only be used for critical information.
Hello, Guys, My name is Punit Pandey and i am pursuing an MCA and I am also a security expert for securing a network and computer. So, that i am gonna publish some PPT for understanding how to create a layer for security.
In this section, you can learn the introduction of the hardware authentication in a technology.
And it will be covering all the Hardware security-related things I think it is a very helpful for your learning process and easy to understand how to the hardware work.
A secure communication in smart phones using two factor authenticationseSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
A secure communication in smart phones using two factor authenticationeSAT Journals
Abstract Most secure systems face security attacks mainly at the client side. Two Factor Authentication (TFA) provides improved protection to the system at the client side by prompting to provide something they know and something they have. This system uses a one time password(OTP) generation method which doesn’t require client-server communication, which frees the system from cost of sending a dynamic password each time the client wants to login. The OTP generation uses the factors that are unique to the user and is installed on a smart phone in Android platform owned by the user. An OTP is valid for a minutes time, after which, is useless. The system thus provides better client level security – a simple low cost method which protects system from hacking techniques like key logging, phishing, shoulder surfing, etc. Keywords—Authentication, OTP, key logging, phishing
Two aspect authentication system using secure mobileUvaraj Shan
This document presents a two-factor authentication system that uses a user's mobile device. It combines one-time passwords as the first factor with encrypted user credentials stored on the mobile device as the second factor. The system is designed to provide strong authentication while reducing costs compared to hardware token-based systems. It analyzes the security of the approach and evaluates usability through a study. The study found participants were willing to accept lower usability for improved security when using untrusted computers.
Two aspect authentication system using secure mobile devicesUvaraj Shan
This document summarizes a research paper that proposes a two-factor authentication system using mobile devices. The system uses one-time passwords as the first authentication factor and encrypted user credentials stored on a mobile phone as the second factor. The system is designed to provide strong authentication while reducing costs compared to token-based systems. It analyzes the security of the approach and evaluates usability through a study where participants accepted lower usability for improved security of their credentials.
SURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICEEditor IJMTER
Practical requirements for securely demonstrating identities between two handheld
devices are an important concern. The adversary can inject a Man-In- The-Middle (MITM) attack to
intrude the protocol. Protocols that employ secret keys require the devices to share private
information in advance, in which it is not feasible in the above scenario. Apart from insecurely
typing passwords into handheld devices or comparing long hexadecimal keys displayed on the
devices’ screen, many other human-verifiable protocols have been proposed in the literature to solve
the problem. Unfortunately, most of these schemes are unsalable to more users. Even when there are
only three entities attempt to agree a session key, these protocols need to be rerun for three times.
So, in the existing method a bipartite and a tripartite authentication protocol is presented using a
temporary confidential channel. Besides, further extend the system into a transitive authentication
protocol that allows multiple handheld devices to establish a conference key securely and efficiently.
But this method detects only the outsider attacks. Method does not consider the insider attacks. So,
in the proposed method trust score based method is introduced which computes the trust values for
the nodes and provide the security. The trust score is computed has a positive influence on the
confidence with which an entity conducts transactions with that node. Network the behavior of the
node will be monitored periodically and its trust value is also updated .So depending on the behavior
of the node in the network trust relation will be established between two nodes.
The document proposes an e-voting authentication scheme that uses QR codes and visual cryptography. Voters are issued two "shares" - one containing a QR code with their password, and one stored in a database. To vote, a voter scans the QR code to reveal the password, enters it, and is authenticated. The scheme aims to be highly usable by requiring only a QR code scanner, with no technical background needed. It evaluates the scheme's security against attacks like intercepting transmitted shares or manipulating scanning software.
KAFA: A novel interoperability open framework to utilize Indonesian electroni...TELKOMNIKA JOURNAL
Indonesian people have electronic citizen card called e-KTP. e-KTP is NFC based technology embedded inside Indonesian citizenship identity card. e-KTP technology has never been used until now since it was launch officially by the government. This research proposes an independent framework for bridging the gap between Indonesia regulation for e-KTP and commercial use in the many commercial or organization sector. The Framework proposes interoperability framework using novel combination component, there are e-KTP reader, Middleware and Web Service. KAFA (e-KTP Middleware and Framework) implementing Internet of Things (IoT) concept to make it as open standard and independent. The framework use federation mode or decentralized data for interoperability, to make sure not breaking the law of privacy. Extended development of AES-CBC cipher algorithm was used to encrypt the data on the transport between middleware and web service.
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...ADEIJ Journal
Today, a large number of people access internet through their smart phones to login to their bank accounts, social networking accounts and various other blogs. In such a scenario, user authentication has emerged as a major security issue in mobile internet. To date, password based authentication schemes have been extensively used to provide authentication and security. The password based authentication has always been cumbersome for the users because human memory is transient and remembering a large number of long and complicated passwords is impossible. Also, it is vulnerable to various kinds of attacks like brute force, rainbow table, dictionary, sniffing, shoulder surfing and so on. As the main contribution of this paper, a new passwordless authentication scheme for smart phones is presented which not only resolves all the weaknesses of password based schemes but also provide robust security. The proposed scheme relieves users from memorizing and storing long and complicated passwords. The proposed scheme uses ECDSA which is based on Elliptic Curve Cryptography (ECC). ECC has remarkable strength and efficiency advantages in terms of bandwidth, key sizes and computational overheads over other public key cryptosystems. It is therefore suitable for resource constraint devices like smart phone. Furthermore, the proposed scheme incorporate CAPTCHA which play a very important role in protecting the web resources from spamming and other malicious activities. To the best of our knowledge, until now no passwordless user authentication protocol based on ECC has been proposed for smart phones. Finally, the security and functionality analysis shows that compared with existing password based authentication schemes, the proposed scheme is more secure and efficient.
Secure Code Generation for Multi-level Mutual AuthenticationTELKOMNIKA JOURNAL
Any secured system requires one or more logging policies to make that system safe. Static
passwords alone cannot be furthermore enough for securing systems, even with strong passwords illegal
intrusions occur or it suffers the risk of forgotten. Authentication using many levels (factors) might
complicate the steps when intruders try to reach system resources. Any person to be authorized for
logging-in a secured system must provide some predefined data or present some entities that identify
his/her authority. Predefined information between the client and the system help to get more secure level
of logging-in. In this paper, the user that aims to log-in to a secured system must provide a recognized
RFID card with a mobile number, which is available in the secured systems database, then the secured
system with a simple algorithm generates a One-time Password that is sent via GSM Arduino compatible
shield to the user announcing him/her as an authorized person.
The document discusses securing industrial IoT (IIoT) applications and devices. It identifies three main attack surfaces: the application, the device, and the network. To secure the application, it recommends using secure APIs, complex passwords, limiting API calls, and continuous deployment. For devices, it suggests securing the SIM card, physical device, and device software through measures like embedded SIMs, firmware updates, and remote management. Finally, it advises limiting voice, SMS, and data services on networks to reduce vulnerabilities. Overall, the document stresses the importance of prioritizing security for IIoT given the increasing threats to connected industrial systems.
An Identity-Based Mutual Authentication with Key Agreementijtsrd
Now days mobile networks are rapid development by performing the e-commerce transaction such as online shopping, internet banking and e- payment. So that to provide secure communication, authentication and key agreement is important issue in the mobile networks. Hence, schemes for authentication and key agreement have been studied widely. So that to provide efficient and more secure techniques is necessary. In this paper we are proposed random prime order key agreement protocol proposed for authentication and key agreement. Another technique is used to provide security of transferred data using key xor data transpose technique. By using this technique, we provide more security and more efficiency for transferring data. B. V. S. Manikya Rao | Y. Triveni "An Identity-Based Mutual Authentication with Key Agreement" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-2 , February 2019, URL: https://www.ijtsrd.com/papers/ijtsrd21562.pdf
Paper URL: https://www.ijtsrd.com/computer-science/computer-security/21562/an-identity-based-mutual-authentication-with-key-agreement/b-v-s-manikya-rao
New design of lightweight authentication protocol in wearable technologyTELKOMNIKA JOURNAL
The document describes a new design for a lightweight authentication protocol for wearable technology. It begins with background on wearable devices and the importance of authentication between wearables, mobile terminals, and users. It then analyzes security issues with existing lightweight authentication protocols, noting they lack protections against impersonation attacks. The proposed solution is a new protocol design that utilizes a modified S-NCI key establishment scheme. The protocol adds identity and nonce parameters to address weaknesses identified through formal analysis. It has two phases: registration and pair and mutual authentication. The registration phase involves a user registering attributes with a cloud server through a mobile terminal. The pair and mutual authentication phase authenticates the wearable device, mobile terminal, and user through interactions with a
Detection and prevention method of rooting attack on the android phonesIAEME Publication
This document summarizes a thesis about detecting and preventing rooting attacks on Android phones. It discusses how personal information and authentication certificates are saved on Android devices and vulnerable to exploitation during financial transactions if the phone is rooted. The document outlines two common rooting methods, RageAgainstTheCage and GingerBreak, that gain root access by exploiting vulnerabilities in the Android OS. It proposes analyzing how information is stored and establishing countermeasures to protect against rooting attacks and prevent leakage of financial data from Android phones.
An Android PGP Manager: Towards Bridging End-User Cryptography to Smart PhonesCSCJournals
This paper presents a key management and an encryption application for the Android operating system, which can be used to secure the privacy of messages exchanged among applications and Web services when accessed from mobile devices. In addition to the management of PGP keys, the application uses PGP encryption to secure the clipboard communication channel on the Android OS, which is widely used to exchange messages especially in the context of social networking and other Web-based services.
This paper is included in the Proceedings of the 24th USENIX.docxherthalearmont
This document summarizes a research paper that proposes Sound-Proof, a two-factor authentication mechanism based on comparing ambient sound recordings from a user's phone and computer. Sound-Proof aims to improve usability by not requiring any interaction between the user and their phone during login. It is designed to be easily deployable as it works with current phones, computers, and major browsers without plugins. The paper presents a prototype and evaluates Sound-Proof's effectiveness at determining if devices are in the same environment based on ambient audio comparisons. A user study found participants preferred Sound-Proof over Google 2-Step Verification and most would use it even if two-factor authentication was optional.
This document discusses several topics related to cyber security including:
1. Windows security features such as User Account Control, BitLocker Drive Encryption, and Windows Firewall.
2. Network security challenges such as verifying user identity, protecting against DDoS attacks, and securing web applications.
3. Limitations of today's security solutions and how the modern workplace has increased risks from factors like telecommuting and use of mobile devices.
4. Types of internet security protocols and cryptography techniques as well as common forms of malicious software like viruses, worms, and trojan horses.
Similar to 2FYSH: two-factor authentication you should have for password replacement (20)
Amazon products reviews classification based on machine learning, deep learni...TELKOMNIKA JOURNAL
In recent times, the trend of online shopping through e-commerce stores and websites has grown to a huge extent. Whenever a product is purchased on an e-commerce platform, people leave their reviews about the product. These reviews are very helpful for the store owners and the product’s manufacturers for the betterment of their work process as well as product quality. An automated system is proposed in this work that operates on two datasets D1 and D2 obtained from Amazon. After certain preprocessing steps, N-gram and word embedding-based features are extracted using term frequency-inverse document frequency (TF-IDF), bag of words (BoW) and global vectors (GloVe), and Word2vec, respectively. Four machine learning (ML) models support vector machines (SVM), logistic regression (RF), logistic regression (LR), multinomial Naïve Bayes (MNB), two deep learning (DL) models convolutional neural network (CNN), long-short term memory (LSTM), and standalone bidirectional encoder representations (BERT) are used to classify reviews as either positive or negative. The results obtained by the standard ML, DL models and BERT are evaluated using certain performance evaluation measures. BERT turns out to be the best-performing model in the case of D1 with an accuracy of 90% on features derived by word embedding models while the CNN provides the best accuracy of 97% upon word embedding features in the case of D2. The proposed model shows better overall performance on D2 as compared to D1.
Design, simulation, and analysis of microstrip patch antenna for wireless app...TELKOMNIKA JOURNAL
In this study, a microstrip patch antenna that works at 3.6 GHz was built and tested to see how well it works. In this work, Rogers RT/Duroid 5880 has been used as the substrate material, with a dielectric permittivity of 2.2 and a thickness of 0.3451 mm; it serves as the base for the examined antenna. The computer simulation technology (CST) studio suite is utilized to show the recommended antenna design. The goal of this study was to get a more extensive transmission capacity, a lower voltage standing wave ratio (VSWR), and a lower return loss, but the main goal was to get a higher gain, directivity, and efficiency. After simulation, the return loss, gain, directivity, bandwidth, and efficiency of the supplied antenna are found to be -17.626 dB, 9.671 dBi, 9.924 dBi, 0.2 GHz, and 97.45%, respectively. Besides, the recreation uncovered that the transfer speed side-lobe level at phi was much better than those of the earlier works, at -28.8 dB, respectively. Thus, it makes a solid contender for remote innovation and more robust communication.
Design and simulation an optimal enhanced PI controller for congestion avoida...TELKOMNIKA JOURNAL
This document describes using a snake optimization algorithm to tune the gains of an enhanced proportional-integral controller for congestion avoidance in a TCP/AQM system. The controller aims to maintain a stable and desired queue size without noise or transmission problems. A linearized model of the TCP/AQM system is presented. An enhanced PI controller combining nonlinear gain and original PI gains is proposed. The snake optimization algorithm is then used to tune the parameters of the enhanced PI controller to achieve optimal system performance and response. Simulation results are discussed showing the proposed controller provides a stable and robust behavior for congestion control.
Improving the detection of intrusion in vehicular ad-hoc networks with modifi...TELKOMNIKA JOURNAL
Vehicular ad-hoc networks (VANETs) are wireless-equipped vehicles that form networks along the road. The security of this network has been a major challenge. The identity-based cryptosystem (IBC) previously used to secure the networks suffers from membership authentication security features. This paper focuses on improving the detection of intruders in VANETs with a modified identity-based cryptosystem (MIBC). The MIBC is developed using a non-singular elliptic curve with Lagrange interpolation. The public key of vehicles and roadside units on the network are derived from number plates and location identification numbers, respectively. Pseudo-identities are used to mask the real identity of users to preserve their privacy. The membership authentication mechanism ensures that only valid and authenticated members of the network are allowed to join the network. The performance of the MIBC is evaluated using intrusion detection ratio (IDR) and computation time (CT) and then validated with the existing IBC. The result obtained shows that the MIBC recorded an IDR of 99.3% against 94.3% obtained for the existing identity-based cryptosystem (EIBC) for 140 unregistered vehicles attempting to intrude on the network. The MIBC shows lower CT values of 1.17 ms against 1.70 ms for EIBC. The MIBC can be used to improve the security of VANETs.
Conceptual model of internet banking adoption with perceived risk and trust f...TELKOMNIKA JOURNAL
Understanding the primary factors of internet banking (IB) acceptance is critical for both banks and users; nevertheless, our knowledge of the role of users’ perceived risk and trust in IB adoption is limited. As a result, we develop a conceptual model by incorporating perceived risk and trust into the technology acceptance model (TAM) theory toward the IB. The proper research emphasized that the most essential component in explaining IB adoption behavior is behavioral intention to use IB adoption. TAM is helpful for figuring out how elements that affect IB adoption are connected to one another. According to previous literature on IB and the use of such technology in Iraq, one has to choose a theoretical foundation that may justify the acceptance of IB from the customer’s perspective. The conceptual model was therefore constructed using the TAM as a foundation. Furthermore, perceived risk and trust were added to the TAM dimensions as external factors. The key objective of this work was to extend the TAM to construct a conceptual model for IB adoption and to get sufficient theoretical support from the existing literature for the essential elements and their relationships in order to unearth new insights about factors responsible for IB adoption.
Efficient combined fuzzy logic and LMS algorithm for smart antennaTELKOMNIKA JOURNAL
The smart antennas are broadly used in wireless communication. The least mean square (LMS) algorithm is a procedure that is concerned in controlling the smart antenna pattern to accommodate specified requirements such as steering the beam toward the desired signal, in addition to placing the deep nulls in the direction of unwanted signals. The conventional LMS (C-LMS) has some drawbacks like slow convergence speed besides high steady state fluctuation error. To overcome these shortcomings, the present paper adopts an adaptive fuzzy control step size least mean square (FC-LMS) algorithm to adjust its step size. Computer simulation outcomes illustrate that the given model has fast convergence rate as well as low mean square error steady state.
Design and implementation of a LoRa-based system for warning of forest fireTELKOMNIKA JOURNAL
This paper presents the design and implementation of a forest fire monitoring and warning system based on long range (LoRa) technology, a novel ultra-low power consumption and long-range wireless communication technology for remote sensing applications. The proposed system includes a wireless sensor network that records environmental parameters such as temperature, humidity, wind speed, and carbon dioxide (CO2) concentration in the air, as well as taking infrared photos.The data collected at each sensor node will be transmitted to the gateway via LoRa wireless transmission. Data will be collected, processed, and uploaded to a cloud database at the gateway. An Android smartphone application that allows anyone to easily view the recorded data has been developed. When a fire is detected, the system will sound a siren and send a warning message to the responsible personnel, instructing them to take appropriate action. Experiments in Tram Chim Park, Vietnam, have been conducted to verify and evaluate the operation of the system.
Wavelet-based sensing technique in cognitive radio networkTELKOMNIKA JOURNAL
Cognitive radio is a smart radio that can change its transmitter parameter based on interaction with the environment in which it operates. The demand for frequency spectrum is growing due to a big data issue as many Internet of Things (IoT) devices are in the network. Based on previous research, most frequency spectrum was used, but some spectrums were not used, called spectrum hole. Energy detection is one of the spectrum sensing methods that has been frequently used since it is easy to use and does not require license users to have any prior signal understanding. But this technique is incapable of detecting at low signal-to-noise ratio (SNR) levels. Therefore, the wavelet-based sensing is proposed to overcome this issue and detect spectrum holes. The main objective of this work is to evaluate the performance of wavelet-based sensing and compare it with the energy detection technique. The findings show that the percentage of detection in wavelet-based sensing is 83% higher than energy detection performance. This result indicates that the wavelet-based sensing has higher precision in detection and the interference towards primary user can be decreased.
A novel compact dual-band bandstop filter with enhanced rejection bandsTELKOMNIKA JOURNAL
In this paper, we present the design of a new wide dual-band bandstop filter (DBBSF) using nonuniform transmission lines. The method used to design this filter is to replace conventional uniform transmission lines with nonuniform lines governed by a truncated Fourier series. Based on how impedances are profiled in the proposed DBBSF structure, the fractional bandwidths of the two 10 dB-down rejection bands are widened to 39.72% and 52.63%, respectively, and the physical size has been reduced compared to that of the filter with the uniform transmission lines. The results of the electromagnetic (EM) simulation support the obtained analytical response and show an improved frequency behavior.
Deep learning approach to DDoS attack with imbalanced data at the application...TELKOMNIKA JOURNAL
A distributed denial of service (DDoS) attack is where one or more computers attack or target a server computer, by flooding internet traffic to the server. As a result, the server cannot be accessed by legitimate users. A result of this attack causes enormous losses for a company because it can reduce the level of user trust, and reduce the company’s reputation to lose customers due to downtime. One of the services at the application layer that can be accessed by users is a web-based lightweight directory access protocol (LDAP) service that can provide safe and easy services to access directory applications. We used a deep learning approach to detect DDoS attacks on the CICDDoS 2019 dataset on a complex computer network at the application layer to get fast and accurate results for dealing with unbalanced data. Based on the results obtained, it is observed that DDoS attack detection using a deep learning approach on imbalanced data performs better when implemented using synthetic minority oversampling technique (SMOTE) method for binary classes. On the other hand, the proposed deep learning approach performs better for detecting DDoS attacks in multiclass when implemented using the adaptive synthetic (ADASYN) method.
The appearance of uncertainties and disturbances often effects the characteristics of either linear or nonlinear systems. Plus, the stabilization process may be deteriorated thus incurring a catastrophic effect to the system performance. As such, this manuscript addresses the concept of matching condition for the systems that are suffering from miss-match uncertainties and exogeneous disturbances. The perturbation towards the system at hand is assumed to be known and unbounded. To reach this outcome, uncertainties and their classifications are reviewed thoroughly. The structural matching condition is proposed and tabulated in the proposition 1. Two types of mathematical expressions are presented to distinguish the system with matched uncertainty and the system with miss-matched uncertainty. Lastly, two-dimensional numerical expressions are provided to practice the proposed proposition. The outcome shows that matching condition has the ability to change the system to a design-friendly model for asymptotic stabilization.
Implementation of FinFET technology based low power 4×4 Wallace tree multipli...TELKOMNIKA JOURNAL
Many systems, including digital signal processors, finite impulse response (FIR) filters, application-specific integrated circuits, and microprocessors, use multipliers. The demand for low power multipliers is gradually rising day by day in the current technological trend. In this study, we describe a 4×4 Wallace multiplier based on a carry select adder (CSA) that uses less power and has a better power delay product than existing multipliers. HSPICE tool at 16 nm technology is used to simulate the results. In comparison to the traditional CSA-based multiplier, which has a power consumption of 1.7 µW and power delay product (PDP) of 57.3 fJ, the results demonstrate that the Wallace multiplier design employing CSA with first zero finding logic (FZF) logic has the lowest power consumption of 1.4 µW and PDP of 27.5 fJ.
Evaluation of the weighted-overlap add model with massive MIMO in a 5G systemTELKOMNIKA JOURNAL
The flaw in 5G orthogonal frequency division multiplexing (OFDM) becomes apparent in high-speed situations. Because the doppler effect causes frequency shifts, the orthogonality of OFDM subcarriers is broken, lowering both their bit error rate (BER) and throughput output. As part of this research, we use a novel design that combines massive multiple input multiple output (MIMO) and weighted overlap and add (WOLA) to improve the performance of 5G systems. To determine which design is superior, throughput and BER are calculated for both the proposed design and OFDM. The results of the improved system show a massive improvement in performance ver the conventional system and significant improvements with massive MIMO, including the best throughput and BER. When compared to conventional systems, the improved system has a throughput that is around 22% higher and the best performance in terms of BER, but it still has around 25% less error than OFDM.
Reflector antenna design in different frequencies using frequency selective s...TELKOMNIKA JOURNAL
In this study, it is aimed to obtain two different asymmetric radiation patterns obtained from antennas in the shape of the cross-section of a parabolic reflector (fan blade type antennas) and antennas with cosecant-square radiation characteristics at two different frequencies from a single antenna. For this purpose, firstly, a fan blade type antenna design will be made, and then the reflective surface of this antenna will be completed to the shape of the reflective surface of the antenna with the cosecant-square radiation characteristic with the frequency selective surface designed to provide the characteristics suitable for the purpose. The frequency selective surface designed and it provides the perfect transmission as possible at 4 GHz operating frequency, while it will act as a band-quenching filter for electromagnetic waves at 5 GHz operating frequency and will be a reflective surface. Thanks to this frequency selective surface to be used as a reflective surface in the antenna, a fan blade type radiation characteristic at 4 GHz operating frequency will be obtained, while a cosecant-square radiation characteristic at 5 GHz operating frequency will be obtained.
Reagentless iron detection in water based on unclad fiber optical sensorTELKOMNIKA JOURNAL
A simple and low-cost fiber based optical sensor for iron detection is demonstrated in this paper. The sensor head consist of an unclad optical fiber with the unclad length of 1 cm and it has a straight structure. Results obtained shows a linear relationship between the output light intensity and iron concentration, illustrating the functionality of this iron optical sensor. Based on the experimental results, the sensitivity and linearity are achieved at 0.0328/ppm and 0.9824 respectively at the wavelength of 690 nm. With the same wavelength, other performance parameters are also studied. Resolution and limit of detection (LOD) are found to be 0.3049 ppm and 0.0755 ppm correspondingly. This iron sensor is advantageous in that it does not require any reagent for detection, enabling it to be simpler and cost-effective in the implementation of the iron sensing.
Impact of CuS counter electrode calcination temperature on quantum dot sensit...TELKOMNIKA JOURNAL
In place of the commercial Pt electrode used in quantum sensitized solar cells, the low-cost CuS cathode is created using electrophoresis. High resolution scanning electron microscopy and X-ray diffraction were used to analyze the structure and morphology of structural cubic samples with diameters ranging from 40 nm to 200 nm. The conversion efficiency of solar cells is significantly impacted by the calcination temperatures of cathodes at 100 °C, 120 °C, 150 °C, and 180 °C under vacuum. The fluorine doped tin oxide (FTO)/CuS cathode electrode reached a maximum efficiency of 3.89% when it was calcined at 120 °C. Compared to other temperature combinations, CuS nanoparticles crystallize at 120 °C, which lowers resistance while increasing electron lifetime.
In place of the commercial Pt electrode used in quantum sensitized solar cells, the low-cost CuS cathode is created using electrophoresis. High resolution scanning electron microscopy and X-ray diffraction were used to analyze the structure and morphology of structural cubic samples with diameters ranging from 40 nm to 200 nm. The conversion efficiency of solar cells is significantly impacted by the calcination temperatures of cathodes at 100 °C, 120 °C, 150 °C, and 180 °C under vacuum. The fluorine doped tin oxide (FTO)/CuS cathode electrode reached a maximum efficiency of 3.89% when it was calcined at 120 °C. Compared to other temperature combinations, CuS nanoparticles crystallize at 120 °C, which lowers resistance while increasing electron lifetime.
A progressive learning for structural tolerance online sequential extreme lea...TELKOMNIKA JOURNAL
This article discusses the progressive learning for structural tolerance online sequential extreme learning machine (PSTOS-ELM). PSTOS-ELM can save robust accuracy while updating the new data and the new class data on the online training situation. The robustness accuracy arises from using the householder block exact QR decomposition recursive least squares (HBQRD-RLS) of the PSTOS-ELM. This method is suitable for applications that have data streaming and often have new class data. Our experiment compares the PSTOS-ELM accuracy and accuracy robustness while data is updating with the batch-extreme learning machine (ELM) and structural tolerance online sequential extreme learning machine (STOS-ELM) that both must retrain the data in a new class data case. The experimental results show that PSTOS-ELM has accuracy and robustness comparable to ELM and STOS-ELM while also can update new class data immediately.
Electroencephalography-based brain-computer interface using neural networksTELKOMNIKA JOURNAL
This study aimed to develop a brain-computer interface that can control an electric wheelchair using electroencephalography (EEG) signals. First, we used the Mind Wave Mobile 2 device to capture raw EEG signals from the surface of the scalp. The signals were transformed into the frequency domain using fast Fourier transform (FFT) and filtered to monitor changes in attention and relaxation. Next, we performed time and frequency domain analyses to identify features for five eye gestures: opened, closed, blink per second, double blink, and lookup. The base state was the opened-eyes gesture, and we compared the features of the remaining four action gestures to the base state to identify potential gestures. We then built a multilayer neural network to classify these features into five signals that control the wheelchair’s movement. Finally, we designed an experimental wheelchair system to test the effectiveness of the proposed approach. The results demonstrate that the EEG classification was highly accurate and computationally efficient. Moreover, the average performance of the brain-controlled wheelchair system was over 75% across different individuals, which suggests the feasibility of this approach.
Adaptive segmentation algorithm based on level set model in medical imagingTELKOMNIKA JOURNAL
For image segmentation, level set models are frequently employed. It offer best solution to overcome the main limitations of deformable parametric models. However, the challenge when applying those models in medical images stills deal with removing blurs in image edges which directly affects the edge indicator function, leads to not adaptively segmenting images and causes a wrong analysis of pathologies wich prevents to conclude a correct diagnosis. To overcome such issues, an effective process is suggested by simultaneously modelling and solving systems’ two-dimensional partial differential equations (PDE). The first PDE equation allows restoration using Euler’s equation similar to an anisotropic smoothing based on a regularized Perona and Malik filter that eliminates noise while preserving edge information in accordance with detected contours in the second equation that segments the image based on the first equation solutions. This approach allows developing a new algorithm which overcome the studied model drawbacks. Results of the proposed method give clear segments that can be applied to any application. Experiments on many medical images in particular blurry images with high information losses, demonstrate that the developed approach produces superior segmentation results in terms of quantity and quality compared to other models already presented in previeous works.
Automatic channel selection using shuffled frog leaping algorithm for EEG bas...TELKOMNIKA JOURNAL
Drug addiction is a complex neurobiological disorder that necessitates comprehensive treatment of both the body and mind. It is categorized as a brain disorder due to its impact on the brain. Various methods such as electroencephalography (EEG), functional magnetic resonance imaging (FMRI), and magnetoencephalography (MEG) can capture brain activities and structures. EEG signals provide valuable insights into neurological disorders, including drug addiction. Accurate classification of drug addiction from EEG signals relies on appropriate features and channel selection. Choosing the right EEG channels is essential to reduce computational costs and mitigate the risk of overfitting associated with using all available channels. To address the challenge of optimal channel selection in addiction detection from EEG signals, this work employs the shuffled frog leaping algorithm (SFLA). SFLA facilitates the selection of appropriate channels, leading to improved accuracy. Wavelet features extracted from the selected input channel signals are then analyzed using various machine learning classifiers to detect addiction. Experimental results indicate that after selecting features from the appropriate channels, classification accuracy significantly increased across all classifiers. Particularly, the multi-layer perceptron (MLP) classifier combined with SFLA demonstrated a remarkable accuracy improvement of 15.78% while reducing time complexity.
Embedded machine learning-based road conditions and driving behavior monitoringIJECEIAES
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
Null Bangalore | Pentesters Approach to AWS IAMDivyanshu
#Abstract:
- Learn more about the real-world methods for auditing AWS IAM (Identity and Access Management) as a pentester. So let us proceed with a brief discussion of IAM as well as some typical misconfigurations and their potential exploits in order to reinforce the understanding of IAM security best practices.
- Gain actionable insights into AWS IAM policies and roles, using hands on approach.
#Prerequisites:
- Basic understanding of AWS services and architecture
- Familiarity with cloud security concepts
- Experience using the AWS Management Console or AWS CLI.
- For hands on lab create account on [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
# Scenario Covered:
- Basics of IAM in AWS
- Implementing IAM Policies with Least Privilege to Manage S3 Bucket
- Objective: Create an S3 bucket with least privilege IAM policy and validate access.
- Steps:
- Create S3 bucket.
- Attach least privilege policy to IAM user.
- Validate access.
- Exploiting IAM PassRole Misconfiguration
-Allows a user to pass a specific IAM role to an AWS service (ec2), typically used for service access delegation. Then exploit PassRole Misconfiguration granting unauthorized access to sensitive resources.
- Objective: Demonstrate how a PassRole misconfiguration can grant unauthorized access.
- Steps:
- Allow user to pass IAM role to EC2.
- Exploit misconfiguration for unauthorized access.
- Access sensitive resources.
- Exploiting IAM AssumeRole Misconfiguration with Overly Permissive Role
- An overly permissive IAM role configuration can lead to privilege escalation by creating a role with administrative privileges and allow a user to assume this role.
- Objective: Show how overly permissive IAM roles can lead to privilege escalation.
- Steps:
- Create role with administrative privileges.
- Allow user to assume the role.
- Perform administrative actions.
- Differentiation between PassRole vs AssumeRole
Try at [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELijaia
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...IJECEIAES
Climate change's impact on the planet forced the United Nations and governments to promote green energies and electric transportation. The deployments of photovoltaic (PV) and electric vehicle (EV) systems gained stronger momentum due to their numerous advantages over fossil fuel types. The advantages go beyond sustainability to reach financial support and stability. The work in this paper introduces the hybrid system between PV and EV to support industrial and commercial plants. This paper covers the theoretical framework of the proposed hybrid system including the required equation to complete the cost analysis when PV and EV are present. In addition, the proposed design diagram which sets the priorities and requirements of the system is presented. The proposed approach allows setup to advance their power stability, especially during power outages. The presented information supports researchers and plant owners to complete the necessary analysis while promoting the deployment of clean energy. The result of a case study that represents a dairy milk farmer supports the theoretical works and highlights its advanced benefits to existing plants. The short return on investment of the proposed approach supports the paper's novelty approach for the sustainable electrical system. In addition, the proposed system allows for an isolated power setup without the need for a transmission line which enhances the safety of the electrical network
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...IJECEIAES
Medical image analysis has witnessed significant advancements with deep learning techniques. In the domain of brain tumor segmentation, the ability to
precisely delineate tumor boundaries from magnetic resonance imaging (MRI)
scans holds profound implications for diagnosis. This study presents an ensemble convolutional neural network (CNN) with transfer learning, integrating
the state-of-the-art Deeplabv3+ architecture with the ResNet18 backbone. The
model is rigorously trained and evaluated, exhibiting remarkable performance
metrics, including an impressive global accuracy of 99.286%, a high-class accuracy of 82.191%, a mean intersection over union (IoU) of 79.900%, a weighted
IoU of 98.620%, and a Boundary F1 (BF) score of 83.303%. Notably, a detailed comparative analysis with existing methods showcases the superiority of
our proposed model. These findings underscore the model’s competence in precise brain tumor localization, underscoring its potential to revolutionize medical
image analysis and enhance healthcare outcomes. This research paves the way
for future exploration and optimization of advanced CNN models in medical
imaging, emphasizing addressing false positives and resource efficiency.
Advanced control scheme of doubly fed induction generator for wind turbine us...IJECEIAES
This paper describes a speed control device for generating electrical energy on an electricity network based on the doubly fed induction generator (DFIG) used for wind power conversion systems. At first, a double-fed induction generator model was constructed. A control law is formulated to govern the flow of energy between the stator of a DFIG and the energy network using three types of controllers: proportional integral (PI), sliding mode controller (SMC) and second order sliding mode controller (SOSMC). Their different results in terms of power reference tracking, reaction to unexpected speed fluctuations, sensitivity to perturbations, and resilience against machine parameter alterations are compared. MATLAB/Simulink was used to conduct the simulations for the preceding study. Multiple simulations have shown very satisfying results, and the investigations demonstrate the efficacy and power-enhancing capabilities of the suggested control system.
Comparative analysis between traditional aquaponics and reconstructed aquapon...bijceesjournal
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
Gas agency management system project report.pdfKamal Acharya
The project entitled "Gas Agency" is done to make the manual process easier by making it a computerized system for billing and maintaining stock. The Gas Agencies get the order request through phone calls or by personal from their customers and deliver the gas cylinders to their address based on their demand and previous delivery date. This process is made computerized and the customer's name, address and stock details are stored in a database. Based on this the billing for a customer is made simple and easier, since a customer order for gas can be accepted only after completing a certain period from the previous delivery. This can be calculated and billed easily through this. There are two types of delivery like domestic purpose use delivery and commercial purpose use delivery. The bill rate and capacity differs for both. This can be easily maintained and charged accordingly.
2. ISSN: 1693-6930
TELKOMNIKA Vol. 17, No. 2, April 2019: 693-702
694
more smartphones with NFC chip in it. It is estimated that 64% of smartphones will be NFC
enabled phones by 2018 [11]. Assessing the downsides in password and OTP systems, in this
research we propose a new authentication protocol called 2FYSH. 2FYSH is a secure-token
based authentication protocol using two SYH factors which are mobile phones and NFC cards.
2FYSH also offers the third factor to people who lock their phone with either SYK (pattern lock,
PIN, password, etc.) or SYA (face recognition, and fingerprint) factor.
2. Related Works
One-time password (OTP) is a password that is valid only after one authentication [12].
OTP authentication was created mainly to secure the system from eavesdropping and replay
attacks on usual password authentication method [13]. RSA SecurID [14] and Google
Authenticator [15] are well-known examples of OTP implementation. Unfortunately, common
OTP mechanisms such as [16, 17] have the possibility of vulnerability on the server side. When
compromised, attackers might obtain the shared secrets and compute the OTP to authenticate.
Compared to that, 2FYSH protocol stays safe even when the server is compromised and cannot
be phished-thanks to 2FYSH’s private and public key with challenge-response scheme. In terms
of usability, 2FYSH acts like requiring users to bring both RSA SecurID and smartphone at the
same time, but a smartphone and an NFC card is something that user relatively always have
with them.
FIDO U2F (Universal Second Factor) has created the login process very easy for users.
By only presenting the second factor in the form of a USB device and tapping it when the light
blinks, users can authenticate themselves to the system. Since the USB device acts like a
physical key, the implementation is usually combined with a PIN. FIDO U2F uses the same
public and private with a challenge-response protocol [18, 19]. It is still relatively a burden for
users to bring a USB device all the time with them, compared to 2FYSH that requires the user to
bring an NFC card which usually is worn as a name tag or placed inside the wallet. The main
advantages of 2FYSH are that 2FYSH doesn’t require the user to buy any special device,
compared to the FIDO U2F USB device which still costs some amount money (by
November 2017).
Pico [20] is a password replacement authentication proposed by Stajano in 2011. While
2FYSH is using the same two hardware tokens concept to authenticate, 2FYSH and Pico act a
little bit different. Pico can have a lot of picosiblings which is recommended to be wearable
devices such as earrings, watch, and necklaces. To authenticate, Pico device will need to
communicate actively by sending ping and pong with the picosiblings to unlock the secret key
located at Pico device. Because of that, Pico supports continuous authentication which means
when Pico separates from picosiblings, it will automatically log the user out from the system.
Because Pico is recommended to be a dedicated device with capabilities of camera and
radio, it requires the user to bring/wear minimum one extra hardware token with them (proposed
as wearable device). Since Pico and picosiblings need to communicate actively, it will need a lot
amount of energy which results in the need of frequent charging on the devices (Pico &
picosiblings). In contrast, 2FYSH only need a smartphone to recharge which should not really
matter because it is considered normal to recharge a smartphone. 2FYSH also requires the
user to bring much normal tokens (such as a card compared to techy earrings) for users than
Pico. Moreover, to use Pico, it is definitely will cost more rather than 2FYSH since all of Pico
system are some unusual extra dedicated tokens.
The implementation of 2FYSH is quite similar to Loxin [21] by using public and private
key with the private key stored in the smartphone. The use of trusted third party is a minus
score on the security aspect according to Bonneau’s proposed UDS framework [22]. Loxin still
uses a trusted third party in the system while 2FYSH doesn’t require it. 2FYSH is safe because
it does not use CA by design and also offers the second protection by the need of presenting an
NFC card to authenticate.
3. Proposed Design
2FYSH is an abbreviation of “Two Factor (authentication) You Should Have” and read
as “two fish”. By the name, the protocol is offering two layers of authentication of SYH factor.
Those two factors are a mobile phone and an NFC card. Simply put, to authenticate to the
relying party, the user should be able to present a registered NFC card to the mobile phone.
3. TELKOMNIKA ISSN: 1693-6930
2FYSH: two-factor authentication you should have.. (Sunderi Pranata)
695
The main strength of this authentication protocol is on the two factors of SYH. 2FYSH could also
be three factors if the users lock their phone with some kind of security such as SYK factor (e.g.
PIN, password, pattern lock) or SYA factor (e.g. fingerprint, face recognition) factor. The
additional third factor is considered as not an additional cognitive burden to the user since it is
frequently used every day.
2FYSH protocol uses TLS-like public-private key scheme combined with challenge-
response protocol to provide secure authentication. The private key should be stored on the
mobile phone which has a special key storage hardware called secure element. This way, the
secrets will be kept secret not only by software but also hardware; thus, preventing any
(unauthorized) access to the private key even the user has rooted the phone [23, 24]. The NFC
card used to authenticate will also be secured by encrypting the salt (will be explained further in
the next section) data with the public key. Requirement: To make sure that the NFC card’s salt
data could not be compromised, all communication has to be over a secure channel (eg.
HTTPS, IPSec, etc). Otherwise, 2FYSH becomes one-factor authentication (smartphone only).
3.1. Architecture
In the 2FYSH protocol, there will be 4 main entities, as shown in Figure 1:
1. 2FYSH server: A back-end server for 2FYSH service. This back-end server stores the
2FYSH users’ credentials, generate challenges, verify user authentication.
2. 2FYSH app: A 2FYSH authenticator application installed on the users’ mobile phone. It can
also be installed on computers but it will be less practical for the user since computers are
not designed to be as mobile as mobile phones. This application stores all 2FYSH
credentials of the user. 2FYSH app also reads the challenge generated by the 2FYSH server
and sends the authentication response to the server for verifying purposes.
3. Client: An application which users use that provides the interface to sign up or sign in.
This client can be in any form such as desktop/mobile browser, desktop/mobile app.
4. NFC card: A token which users need to present to the 2FYSH app in order to sign in.
The NFC card will hold a salt data encrypted with the user credential’s public key.
Figure 1. 2FYSH protocol model
4. ISSN: 1693-6930
TELKOMNIKA Vol. 17, No. 2, April 2019: 693-702
696
The data on the client could not be just transferred to the 2FYSH app since they may be
on separate devices. The 2FYSH protocol also defines some special schemes for data passing
between the client and the 2FYSH app.
1. 2D visual code: This scheme is used whenever client and 2FYSH app are separate devices.
For example: the client is a desktop browser and the 2FYSH app is on the mobile phone
(always).
2. Button (URI link): This scheme is used whenever client and 2FYSH app are on one same
device. For example: the client is a mobile browser and on the same device with the 2FYSH
app.
3. Directly from the app: This scheme is used whenever the client is the mobile app and 2FYSH
app functionality is implemented directly in the app. With this, the data sent from the 2FYSH
server can be directly processed in the app without the need of passing data to the 2FYSH
app. For example: Facebook mobile app implements 2FYSH protocol directly to the app.
3.2. Registration
On the registration process, there are two types of data being sent. The first data being
sent is called registration data, the data is being sent by 2FYSH server to the client. The second
data is the response data from the client to the server and will be called registration
response data.
3.2.1. 2FYSH Registration-Parameters
The registration data sent from server to client will be having 5 key parameters: action,
username, app ID, challenge, and register portal. Parameter action is to identify “registration” or
“authentication” action for the client. Since the user may have more than one credential for each
app (App ID), parameter username is needed for identifying purposes. The challenge is a
random 128, 192, or 256 bits (encoded to HEX), generated by the 2FYSH server with secure
random byte generator. All the parameters will be processed by the 2FYSH app and are going
to be sent to the register portal which acts as service.
The 2FYSH app will process the data needed and sends back registration response
data to the server. The registration response data will be having 4 parameters: username,
challenge, public key, and key handle. The 2FYSH app will process the registration data and
create a key pair (public and private key). The private key will be stored on the phone’s secure
element (key store) and the public key is sent through a secure channel to the 2FYSH server.
Since the private key is stored on a secure element, it will need an alias to call the specific key
for doing procedures. The alias is created as a random 32, 64, or 128 bits (encoded in HEX)
and it is called as key handle. The challenge and key handle parameters should be sent in
encrypted form using private key.
3.2.2. 2FYSH Registration-Stored Data
Aside from all the data being sent, there will also some data being created and stored
through the registration process.
1. Counter: is an integer value with an initial value of 0; stored by both 2FYSH server and
2FYSH client. The counter will act as the last measure of the security to detect if somehow in
the future, the system could be broken. Counter value will be incremented by the 2FYSH
server and the 2FYSH app every successful authentication. Whenever the counter value of
2FYSH server is larger than the 2FYSH client, there will be a high chance that the 2FYSH
app has been cloned.
2. Salt: is a random 32 or 64 bits (encoded to HEX). The value of salt will later be encrypted by
the 2FYSH server using public key received on the registration process and the encrypted
value will be written to an NFC card. The card will be issued to the user for authentication by
the relying party.
3.2.3. 2FYSH Registration-Process
On the registration process, registration_data will be sent by 2FYSH server to the client.
The client will then pass the data through the stated data passing schemes (look point 3.2.1).
The 2FYSH app will receive the data and then create the key pair and the key handle to
access it. The 2FYSH app will store the credential data needed for authentication and user
interface (key handle, username, app id, counter=0). After all that, the app will send back
5. TELKOMNIKA ISSN: 1693-6930
2FYSH: two-factor authentication you should have.. (Sunderi Pranata)
697
registration_response_data to the server. The 2FYSH server will create salt for the
corresponding credential and store the credential data to its database (username, public key,
salt, key handle, counter=0). The salt value will be encrypted with public key, and the encrypted
value will be written to an NFC card. Then, the relying party will issue the NFC card to the user.
3.3. Authentication
On the authentication process, there are two types of data being sent. The first data
being sent is called authentication_data, the data is being sent by 2FYSH server to the client.
The second data is the response data from the client to the server and will be called
authentication_ response_data.
3.3.1. 2FYSH Authentication-Parameters
The authentication data sent from server to client will be having 6 key parameters:
action, username, app ID, challenge, key handle, and authentication portal. The authentication
response data sent from the client back to the server will be having these 3 key parameters:
username, challenge+salt, and counter. Challenge+salt is concatenated bits of challenge and
salt. The value of salt is retrieved by 2FYSH app through the NFC card. Since the NFC card
only holds the public-key-encrypted value of salt, the app will decrypt it by using the credential’s
private key (recognized by the key handle). The 2FYSH app stored counter value will also be
sent to the server. The challenge+salt and counter data will be sent in encrypted form using
private key.
3.3.2. 2FYSH Authentication–Process
On the authentication process, authentication_data will be sent by 2FYSH server to the
client. The client will then pass the data through the stated data passing schemes (look
point 3.2.1). The 2FYSH app will receive the data and will also wait for the NFC tap to the phone
to get the encrypted value of salt. By referencing to the key handle, the 2FYSH app will do three
things: retrieve the current value of counter from the database, decrypt the encrypted salt value
using its corresponding private key to get the plain salt value, and encrypt the challenge+salt
value and the counter. The 2FYSH server will decrypt the encrypted data and get the
challenge+salt value. The authentication process is done on the 2FYSH server. The server will
concatenate the challenge that had been sent with stored salt value and compare it to the
challenge+salt value received; and if it matches, the authentication is successful; thus, the
2FYSH server could set a session/establish a connection to the client.
4. Implementation
We implemented the initial prototype of the protocol design with a web server as the
2FYSH server, desktop/mobile browser as the client, android application as the 2FYSH
application, and NTAG215 NFC card.
4.1. 2FYSH Server Implementation
2FYSH prototype on the server side is using simple web interface. First, the user will
need to enter the username registered. After that, the browser screen will show a QR code and
a URI link. The QR code is used when the browser is on the desktop platform. The 2FYSH app
will have a viewfinder searching for QR code with the 2FYSH data format. The URI link is used
when the browser is on the same mobile device with the 2FYSH app. The communication data
used in this prototype implementation is JSON. The JSON data is embedded in the QR code
and the URI link.
4.2. 2FYSH App Implementation
The implementation of the 2FYSH app is made as simple as possible. The main
interface of the app constructed mainly by a camera view as shown in Figure 2. In order to do
either registration or authentication process, no button is needed to be pressed. The user will
just need to point the camera to the QR code shown from the browser and it will prompt for NFC
card tap to the phone. Once the NFC card tap has been done, the browser will automatically
load the requested page. If the browser is in the same mobile phone as the 2FYSH app, the
6. ISSN: 1693-6930
TELKOMNIKA Vol. 17, No. 2, April 2019: 693-702
698
user will just have to click the URI link and the 2FYSH app will open directly to the NFC card tap
prompt page and the rest is the same.
The 2FYSH app design supports the interface of key list to the users. Key list is a list of
credentials that had been registered to the 2FYSH app. With the key lists, users can look at the
credentials they had registered and revoke them whenever they want. A single key is as shown
in the red box in Figure 2, with a button DELETE on the right to delete the credential.
Figure 2. 2FYSH Mobile App User Interface
5. Analysis
5.1. Usability Test
Based on Jakob Nielsen’s mathematical model on usability testing at 1993, only
minimum 3 to 5 people are needed to address 85% of the usability problem [25].
The experiment on this paper was conducted to 2 groups of 5 people (total 10 people). The first
group consists of average users (can operate computers, send email, browsing, work with word
processors and spreadsheets), and the rest consists of expert users (can write a program,
install OS). The chosen 10 people were told to try the 2FYSH authentication in desktop and
mobile. For comparison, we also asked them to try the existing solution on authentication, FIDO
U2F [18]. The test participants were given the following task: (1) Listen on how to do 2FYSH
registration, (2) Do the 2FYSH registration, (3) Listen on how to do 2FYSH authentication, (4)
Do the 2FYSH authentication (first), (5) Do the 2FYSH authentication (second), (6) Listen on
how to do 2FYSH mobile authentication, (7) Do the 2FYSH mobile authentication, (8) Listen on
how to do U2F registration, (9) Do the U2F registration, (10) Listen on how to do U2F
authentication, (11) Do the U2F authentication (first), (12) Do the U2F authentication (second).
7. TELKOMNIKA ISSN: 1693-6930
2FYSH: two-factor authentication you should have.. (Sunderi Pranata)
699
Each person completed the usability test by 20-30 minutes. Each task was noted on
how much time spent to complete one task. The interviewer also observed the errors occurred
during the completion of the task. Based on the usability experiment conducted, here are some
findings: The average time spent to complete the authentication process decreases from the
first to the second try. For average users, they only require 16.2 seconds for desktop
authentication and 11.5 seconds for mobile authentication. Authentication with token is
generally harder for average users than expert users. However, it in happens not only 2FYSH
but also U2F. As users use the new authentication system, the error count decreases.
This indicates that 2FYSH is relatively easy to be learnt. According to the participants, effort to
authenticate with 2FYSH is at 3.1 from a 11-point Likert scale. Test participants feels that it is
easy to learn using 2FYSH and u2f authentication.
Most of test participants prefer U2F when compared to 2FYSH, U2F, password. When
the test participants were explained the trade-offs between each authentication system in terms
of security, usability, and economy; 5 test participants choose 2FYSH, and the other 5 test
participants choose password. When asked, the reasons of them not choosing U2F is because
the U2F authenticator costs a lot.From the 5 test participants who chose 2FYSH, the reason
they chose 2FYSH is because 2FYSH is safer and only 2 test participants state that 2FYSH is
usable.To protect sensitive information, 9 out of 10 test participants prefer to use 2FYSH. There
are some things that test participants do not like from 2FYSH such as problems concerning
smartphones and cards. Test participants also think of it as hassles.
5.2. UDS Framework Analysis
Bonneau et al. [22] evaluated two decades worth of proposal on replacing text
passwords for general-purpose user authentication on the web, resulting in a comprehensive
comparative evaluation framework of web authentication schemes. The framework is also called
Usability-Deployability – Security Framework (UDS Framework). In this paper, we will be using
their framework to evaluate the security and deployability on our newly proposed authentication
protocol. In the framework, there will be three possible answers to the benefits. “Yes” if the
benefit is fully offered, “No” if the benefit is not offered at all, and “Quasi” if the system almost
offers the benefit [22].
5.2.1. Security Analysis
S1 Resilient to Physical Observation [YES]: 2FYSH uses public and private key along with
a challenge-response scheme to authenticate. Also, the private key is stored in the
secure element (key store).
S2 Resilient to Targeted Impersonation [Quasi]: Even with the two tokens, 2FYSH almost
offer this benefit. However, there is a scenario of social engineering attack where close
acquaintances, friends, or even family could know the phone security and steal the
phone along with the NFC card and authenticate in a relatively short time, for example:
while having a toilet break. Only the average of 14.8 seconds is needed to do
authentication based on our usability test.
S3 Resilient to Throttled Guessing [YES]: 2FYSH protocol uses public and private key
along with a challenge-response scheme to authenticate. Beside the technical defense
property of the protocol, throttled guessing cannot be done because of the requirement
of two SYH factor.
S4 Resilient to Unthrottled Guessing [YES]: 2FYSH protocol uses public and private key
along with a challenge-response scheme to authenticate. The attackers can
deliberately send the guessed encrypted challenge along with the salt but will still likely
to fail because there are a lot of combinations which can be made with asymmetric
encryption.
S5 Resilient to Internal Observation [YES]: 2FYSH app stores its private key on the secure
element (key store) which is safe even if the mobile phone is infected with malware.
S6 Resilient to Leaks from Other Verifiers [YES]: 2FYSH app creates a key pair for every
registration process regardless the site and the username.
S7 Resilient to Phishing [YES]: 2FYSH uses public and private key along with a challenge-
response scheme to authenticate and the only way to solve the challenge is to present
the registered mobile phone.
8. ISSN: 1693-6930
TELKOMNIKA Vol. 17, No. 2, April 2019: 693-702
700
S8 Resilient to Theft [Quasi]: 2FYSH offers this benefit only to the people who lock their
phone with some kind of security such as PIN, pattern lock, password, face recognition,
fingerprint, etc. Otherwise, 2FYSH will just act like traditional key scheme such as car
keys, which if stolen, it will be vulnerable to attacks.
S9 No trusted Third Party [YES]: 2FYSH protocol needs 2FYSH server, 2FYSH app, client,
and NFC card to authenticate. No third party required.
S10 Requiring Explicit Consent [YES]: 2FYSH authentication requires explicit effort to take
pictures of QR code and NFC tap.
S11 Unlinkable [YES]: 2FYSH app creates a key pair for every registration process
regardless the site and the username.
5.2.2. Deployability Analysis
D1 Accessible [NO]: 2FYSH needs coordinated movement on pressing the button, pointing
the camera, and tapping the NFC card.
D2 Negligible Cost per User [Quasi]: The cost for the user to use 2FYSH authentication
could be free/negligible since mostly the card is provided by the third party such as
universities, companies, and banks. That is provided only if the users’ phone has
already equipped with NFC chip in it.
D3 Server Compatible [NO]: 2FYSH uses specialized scheme on authentication. To
implement, a 2FYSH server needs to be coded to accept the special parameters as well
as the database structures.
D4 Browser Compatible [YES]: 2FYSH protocol can be run on the standard browser which
supports HTML 5 with Javascript enabled.
D5 Mature [NO]: 2FYSH protocol is newly developed, there has not been any
implementation on a real web/app.
D6 Non-Proprietary [YES]: Free and an open protocol.
5.2.3 Usability Analysis
U1 Memory-wise Effortless [YES/Quasi]: Quasi memory-wise effortless if a form of SYK
(e.g.: PIN, password) authentication is used on the phone (Type of everyday used of
SYK counts as quasi). Totally memory-wise effortless if SYA (e.g.: finger print, face
recognition) authentication is used on the phone.
U2 Scalable for Users [YES]: 2FYSH is designed to accommodate this feature. Increasing
number of credentials require the exact same step to authenticate.
U3 Nothing to Carry [NO]: 2FYSH is token based, so this benefit is not offered.
U4 Physically Effortless [NO]: 2FYSH protocol requires user effort for phone unlocking,
camera aiming, and card tapping
U5 Easy to Learn [YES]: Based on the experiment conducted on this paper, 2FYSH
protocol quite easy to learn.
U6 Efficient to Use [YES]: Based on the experiment conducted on this paper, 2FYSH is
efficient to use.
U7 Infrequent Errors [Quasi]: Based on the experiment conducted on this paper, 12.5% of
users suffer from user technical errors (such as delay in QR scanning or NFC card
tapping). The errors only effects in delay in the authentication process and do not imply
failures of the authentication.
U8 Easy Recovery from Loss [NO]: The design of 2FYSH does not support to recover from
loss easily. The loss of NFC card will need the third-party card issuer to reissue the
card and the loss of registered phone will need the relying entity to revoke the old
phone authority and register it to the new one.
5.3. Omitting the Use of Username
By completely omitting the use of username for the user, user will never need to type
anything to register and authenticate anymore. The current proposed 2FYSH protocol does not
specify how to achieve this yet but, by letting 2FYSH app reads the app ID and determines the
corresponding credential, the concept can be achieved. So, in order to authenticate, the user
will just need to take the phone, scan the 2D visual code, and tap the NFC card. However, note
that the user may need to be prompted on which credential to be chosen when there are more
9. TELKOMNIKA ISSN: 1693-6930
2FYSH: two-factor authentication you should have.. (Sunderi Pranata)
701
than one credentials in a single app ID on the 2FYSH app. Omitting the use of username will
definitely strengthen the usability aspect of 2FYSH but weaken the security since username is
also one form of secret.
6. Conclusion
According to our experiment, survey, and analysis, 2FYSH is secure yet usable. 2FYSH
protects the user from usual password attacks such as man-in-the-middle attack, phishing,
eavesdropping, brute forcing, shoulder surfing, key logging, and verifier leaking. 2FYSH is
generally fast for authentication with a high success rate. For average users, they only require
16.2 seconds for desktop authentication and 11.5 seconds for mobile authentication. 2FYSH is
easy to learn and prefered to protect sensitive information over U2F token and passwords. This
fact makes 2FYSH best applied to secure sensitive data needs such as bank accounts and
corporate secrets. However, there are some things that test participants do not like and possible
for future works such as the need of using 2 tokens (smartphone and card) and the method to
authenticate which still considered by some as a hassle.
References
[1] Hoonakker P, Bornoe N, Carayon P. Password Authentication from a Human Factors Perspective:
Results of a Survey among End-Users. Proceedings of the Human Factors and Ergonomics Society
Annual Meeting. 2009; 53: 459-463.
[2] National Institute of Standards and Technology. SP 800-63-2. Electronic Authentication Guideline.
NIST; 2013.
[3] D Dasgupta, A Roy, A Nag. Multi-Factor Authentication. Advances in User Authentication. Cham:
Springer International Publishing. 2017:185–233.
[4] D Dasgupta, A Roy, A Nag. Toward the design of adaptive selection strategies for multi-factor
authentication. Computers & Security. 2016;63:85–116.
[5] Y Shah, V Choyi, L Subramanian. Multi-factor Authentication as a Service. 3rd IEEE International
Conference on Mobile Cloud Computing, Services, and Engineering, San Francisco, CA, USA.
2015:144–150.
[6] C Mulliner, R Borgaonkar, P Stewin, J P Seifert. SMS-Based One-Time Passwords: Attacks and
Defense. Detection of Intrusions and Malware, and Vulnerability Assessment. Berlin, Heidelberg:
Springer Berlin Heidelberg. 2013;7967:150–159.
[7] G Varshney, M Misra, P Atrey. Secure Authentication Scheme to Thwart RT MITM, CR MITM and
Malicious Browser Extension Based Phishing Attacks. Journal of Information Security and
Applications. 2018; 42:1-17.
[8] Jingai Xu, Jiang Qi, Xi Ye. OTP Bidirectional Authentication Scheme Based on MAC Address. 2nd
IEEE International Conference on Computer and Communications (ICCC). 2016:1148–1152.
[9] A K Mohan, T Gireesh Kumar. Secure Seed-Based Sturdy OTP via Convenient Carry-on Device.
Artificial Intelligence and Evolutionary Algorithms in Engineering Systems. New Delhi: Springer India,
2015; 324:447–455.
[10] ReelPhish: A Real-Time Two-Factor Phishing Tool n.d FireEye Inc.
https://www.fireeye.com/blog/threat-research/2018/02/reelphish-real-time-two-factor-phishing-
tool.html. (Accessed Feb 15, 2019).
[11] Urien P. Cloud of Secure Elements: an Infrastructure for the Trust of Mobile NFC Services. IEEE 10
th
International Conference on Wireless and Mobile Computing, Networking and Communications
(WiMob). 2014:213-218.
[12] Barlian H P, Heru Nurwarsito, Wijaya Kurniawan. One-Time Password Implementation on Lego
Mindstorms NXT. TELKOMNIKA. 2014; 12(3): 689-694.
[13] Haller Neil, Craig Metz, Phil Nesser, Mike Straw. A One-Time Password System. No. RFC 2289.
1998.
[14] Two Factor Authentication | RSA SecurID Software Tokens. n.d. RSA.Com. http://www.rsa.com/en-
us/products/rsa-securid-suite/rsa-securid-access/securid-software-tokens. (Accessed July 31, 2018)
[15] Google Authenticator - Apps on Google Play. n.d.
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en.
(Accessed July 31, 2018)
[16] Rodrigues B, A Chaudhari, S More. Two Factor Verification Using QR-Code: A Unique Authentication
System for Android Smartphone Users. 2nd International Conference on Contemporary Computing
and Informatics (IC3I). .2016: 457–462.
[17] Aloul F, S Zahidi, W El-Hajj. Two Factor Authentication Using Mobile Phones. IEEE/ACS
International Conference on Computer Systems and Applications. 2009: 641–644.
10. ISSN: 1693-6930
TELKOMNIKA Vol. 17, No. 2, April 2019: 693-702
702
[18] Juan Lang, Alexei Czeskis, Dirk Balfanz, Marius Schilder, Sampath Srinivas. Security Keys: Practical
Cryptographic Second Factors for the Modern Web. International Conference on Financial
Cryptography and Data Security. Berlin, Heidelberg. 2016: 422-440.
[19] S Pranata, H T Nugroho, H Yamaki. Analisis dan Implementasi Protokol Otentikasi FIDO U2F. Jurnal
Ultima Computing. 2017; 9(1): 30-35.
[20] Stajano, Frank. Pico: No More Passwords!. International Workshop on Security Protocols. 2011.
Berlin, Heidelberg. 2011: 49-81.
[21] Zhu B, Fan X, Gong G. Loxin: a Solution to Password-less Universal Login. IEEE Computer
Communications Workshops. 2014: 488–93.
[22] Bonneau, J cormac Herley, Paul C van Oorschot, Frank Stajano. The Quest to Replace Passwords:
a Framework for Comparative Evaluation of Web Authentication Schemes. IEEE Symposium on
Security and Privacy. Oakland. 2012:553-567.
[23] Android Keystore System n.d. https://developer.android.com/training/articles/keystore.html (accessed
September 10, 2017).
[24] S S Kumbhar, Y Lee, J Yang. Hybrid Encryption for Securing SharedPreferences of Android
Applications. 1st International Conference on Data Intelligence and Security (ICDIS). South Padre
Island, TX. 2018: 246–249.
[25] Knapp J, Zeratsky J, Kowitz B. Sprint: How to Solve Big Problems and Test New Ideas in Just Five
Days. New York: Simon and Schuster. 2016.