Abstract
System security is largely incomplete without credential safety. They are two sides of the same coin, but seldom touched in pair while addressing the concern of unauthorized access attack from a compromised system. The expression of credentials reflects the ownership and assures system security while the unexpressed credentials assure the credential safety. Limiting the expression of credentials up to a safe extent is the limitation of current practices of monolithic authentication. We propose comfort level security assurance framework for pay-off and trade-off credentials safety with security requisite as per the required functionality. A proof of concept demonstrates how to reduce the expression of credentials during the course of authentication and preserve privacy. Its safety, security and privacy are evaluated based on user-adversary model and that demonstrates how the comfort level credential safety and application security can be achieved by correctly mapping the ‘right credentials’ with ‘right functionality’ of an application.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bloomfield R, Netkachova K, Stroud R (2013) Security-informed safety: if it’s not secure, it’s not safe. In: International workshop on software engineering for resilient systems, pp 17–32. Springer, Berlin, Heidelberg
Zhao X, Borders K, Prakash A (2005) Towards protecting sensitive files in a compromised system. In: Third IEEE international security in storage workshop, SISW’05, pp 8–26
Alexander R, Hawkins R, Kelly T (2011) Security assurance cases: motivation and the state of the art. High Integrity Systems Engineering Department of Computer Science University of York Deramore Lane York YO10 5GH
Ardagna CA, De Capitani di Vimercati S, Foresti S, Paraboschi S, Samarati P (2012) Minimising disclosure of client information in credential-based interactions. Int J Inf Priv, Secur Integr 2(1):2–3, 205–233
Shay R, Komanduri S, Kelley PG, Leon PG, Mazurek ML, Bauer L, Cranor LF (2010) Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the sixth symposium on usable privacy and security, p 2. ACM
Pereira D, Hirata C, Pagliares R, Nadjm-Tehrani S (2017) Towards combined safety and security constraints analysis. In: International conference on computer safety, reliability, and security, pp 70–80. Springer, Cham
Delange J, Nam MY, Feiler P, Klieber W (2016) An architecture-centric process for MILS development. In: 2nd international workshop on MILS: architecture and assurance for secure systems. MILS workshop 2016, Prague. http://mils-workshop-2016.euromils.eu/#description
Rao HR, Upadhyaya S (2009) Information assurance, security and privacy services, vol 4. Emerald Group Publishing
Beznosov K, Kruchten P (2004) Towards agile security assurance. In: Proceedings of the 2004 workshop on new security paradigms, pp 47–54. ACM
Rehman H, Nazir M, Mustafa K (2018) Comfort level security–a multi-factor authentication framework. Int J Appl Eng Res 13(17):13166–13177
Adham M, Azodi A, Desmedt Y, Karaolis I (2013) How to attack two-factor authentication internet banking. In: International conference on financial cryptography and data security, pp 322–328. Springer, Berlin, Heidelberg
Bernstein DJ (2009) Introduction to post-quantum cryptography. In: Post-quantum cryptography, pp 1–14. Springer, Berlin, Heidelberg
Strunk JD, Goodson GR, Scheinholtz ML, Soules CA, Ganger GR (2000) Self-securing storage: protecting data in compromised system. In: Proceedings of the 4th conference on symposium on operating system design and implementation, vol 4, p 12. USENIX Association
Rehman H, Nazir M, Mustafa K (2017) Security of web application—state of the art: research theories and industrial practices. In: Information, communication and computing technology, ICICCT 2017. Communications in computer and information science, vol 750, pp 168–180. Springer, Singapore. https://doi.org/10.1007/978-981-10-6544-6_17
Jøsang A, Rosenberger C, Miralabé L, Klevjer H, Daveau J, Taugbøl P (2015) Local user-centric identity management. Journal of trust management 2(1):1
Cheng BC, Chen H, Tseng RY (2007a) A theoretical security model for access control and security assurance. In: Third international symposium on information assurance and security, 2007. IAS 2007, pp 137–142. IEEE
CMFS: Consumers and Mobile Financial Services Report (2016) Board of Governors of the federal reserve system. https://www.federalreserve.gov/econresdata/consumers-and-mobile-financial-services-report-201603.pdf
Burhouse S, Chu K, Goodstein R, Northwood J, Osaki Y, Sharma D (2014, October) National survey of unbanked and under banked households. Fed Depos Insur Corp. https://www.fdic.gov/householdsurvey/2013report.pdf
Burhouse S, Homer M, Osaki Y, Bachman M (2014) Assessing the economic inclusion potential of mobile financial services. Fed Depos Insur Corp
Cheng PC, Rohatgi P, Keser C, Karger PA, Wagner GM, Reninger AS (2007b) Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: IEEE symposium on security and privacy, 2007. SP’07, pp 222–230. IEEE
Weinstock CB, Howard FL, Goodenough JB (2007) Arguing security: creating security assurance cases. Technical report, Software Engineering Institute, Carnegie Mellon University
Weinstock CB, Goodenough JB, & Klein AZ (2013) Measuring assurance case confidence using Baconian probabilities. In: 1st international workshop on assurance cases for software-intensive systems (ASSURE), pp 7–11. IEEE
Goodenough J, Weinstock CB, Klein AZ (2012) Toward a theory of assurance case confidence. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA
Google. Encoded Polyline Algorithm Format (2013). https://developers.google.com/maps/documentation/utilities/polylinealgorithm. Accessed July 27, 2019
Payne BD, Sailer R, Cáceres R, Perez R, Lee W (2007) A layered approach to simplified access control in virtualized systems. ACM SIGOPS Oper Syst Rev 41(4):12–19
Bhargav-Spantzel A, Squicciarini AC, Modi S, Young M, Bertino E, Elliott SJ (2007) Privacy preserving multi-factor authentication with biometrics. J Comput Secur 15(5):529–560
Pavlich-Mariscal JA, Demurjian SA, Michel LD (2005, October) A framework for composable security definition, assurance, and enforcement. In: International conference on model driven engineering languages and systems. Springer, Berlin, Heidelberg, pp 353–354
Alves-Foss J, Taylor C, Oman P (2004) A multi-layered approach to security in high assurance systems. In: Proceedings of the 37th annual Hawaii international conference, system sciences, p 10. IEEE
Rehman H, Khan U, Nazir M, Mustafa K (2018) Strengthening the Bitcoin safety: a graded span based key partitioning mechanism. Int J Inf Technol 1–7. https://rdcu.be/bah3Z
Pietre-Cambacedes L, Chaudet C (2009) Disentangling the relations between safety and security. In: Proceedings of the 9th WSEAS international conference on applied informatics and communications. World Scientific and Engineering Academy and Society (WSEAS)on AIC’09, pp 156–161
Bellare M, Rogaway P (1993) Entity authentication and key distribution. In: Annual international cryptology conference. Springer, Berlin, Heidelberg, pp 232–249
Rubio-Medrano CE, Ahn GJ, Sohr K (2014) Achieving security assurance with assertion-based application construction. In: 2014 international conference on collaborative computing: networking, applications and worksharing (collaboratecom), pp 503–510. IEEE
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Rehman, H., Nazir, M., Mustafa, K. (2020). Credentials Safety and System Security Pay-off and Trade-off: Comfort Level Security Assurance Framework. In: Kapur, P.K., Singh, O., Khatri, S.K., Verma, A.K. (eds) Strategic System Assurance and Business Analytics. Asset Analytics. Springer, Singapore. https://doi.org/10.1007/978-981-15-3647-2_19
Download citation
DOI: https://doi.org/10.1007/978-981-15-3647-2_19
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-3646-5
Online ISBN: 978-981-15-3647-2
eBook Packages: Business and ManagementBusiness and Management (R0)