Security and privacy issues in medical wireless body area networks (WBANs) constitute a major unsolved concern because of the challenges posed by the scarcity of resources in WBAN devices and the usability restrictions imposed by the healthcare domain. In this paper, we describe a WBAN architecture based on the well-known publish-subscribe paradigm. We present two protocols for publishing data and sending commands to a sensor that guarantee confidentiality and fine-grained access control. Both protocols are based on a recently proposed ciphertext policy attribute-based encryption (CP-ABE) scheme that is lightweight enough to be embedded into wearable sensors. We show how sensors can implement lattice-based access control (LBAC) policies using this scheme, which are highly appropriate for the eHealth domain. We report experimental results with a prototype implementation demonstrating the suitability of our proposed solution.
Abstract:The proliferation of wearable and implantable medical devices has given rise to an interest in developing security schemes suitable for these systems and the environment in which they operate. One area that has received much attention lately is the use of (human) biological signals as the basis for biometric authentication, identification and the generation of cryptographic keys. The heart signal (e.g., as recorded in an electrocardiogram) has been used by several researchers in the last few years. Specifically, the so-called Inter-Pulse Intervals (IPIs), which is the time between two consecutive heartbeats, have been repeatedly pointed out as a potentially good source of entropy and are at the core of various recent authentication protocols. In this work, we report the results of a large-scale statistical study to determine whether such an assumption is (or not) upheld. For this, we have analyzed 19 public datasets of heart signals from the Physionet repository, spanning electrocardiograms from 1353 subjects sampled at different frequencies and with lengths that vary between a few minutes and several hours. We believe this is the largest dataset on this topic analyzed in the literature. We have then applied a standard battery of randomness tests to the extracted IPIs. Under the algorithms described in this paper and after analyzing these 19 public ECG datasets, our results raise doubts about the use of IPI values as a good source of randomness for cryptographic purposes. This has repercussions both in the security of some of the protocols proposed up to now and also in the design of future IPI-based schemes.
Browser extensions enable rich experience for the users of today's web. Being deployed with elevated privileges, extensions are given the power to overrule web pages. As a result, web pages often seek to detect the installed extensions, sometimes for benign adoption of their behavior but sometimes as part of privacy-violating user fingerprinting. Researchers have studied a class of attacks that allow detecting extensions by probing for Web Accessible Resources (WARs) via URLs that include public extension IDs. Realizing privacy risks associated with WARs, Firefox has recently moved to randomize a browser extension's ID, prompting the Chrome team to plan for following the same path. However, rather than mitigating the issue, the randomized IDs can in fact exacerbate the extension detection problem, enabling attackers to use a randomized ID as a reliable fingerprint of a user. We study a class of extension revelation attacks, where extensions reveal themselves by injecting their code on web pages. We demonstrate how a combination of revelation and probing can uniquely identify 90% out of all extensions injecting content, in spite of a randomization scheme. We perform a series of large-scale studies to estimate possible implications of both classes of attacks. As a countermeasure, we propose a browser-based mechanism that enables control over which extensions are loaded on which web pages and present a proof of concept implementation which blocks both classes of attacks. Probing attack: Previous works [55], [53] have focused on non-behavioral detection, based on a browser extension's listed WARs. The WARs are public resources which can be fetched from the context of a web page using a predefined URL, consisting of a public extension ID (or Universally Unique Identifier (UUID)) and the path to that resource. With the predefined URL to fetch a WAR from an extension, a web page can mount a probing attack, designed to detect an extension by probing for WARs, since a response with the probed WAR indicates the corresponding extension is installed. This attack can be seen in Figure 1a where 1 denotes the requests made by the attacker to probe for an installed browser extension. If the browser extension is in the browser context, the attacker will get a response consisting of the requested WAR (denoted by 2). This attack can be magnified by probing for a set of browser extensions' resources, thereby enumerating
Online social networks (OSNs) are one of the most popular web-based services for people to communicate and share information with each other. With all their bene ts, OSNs might raise serious problems in what concerns users' privacy. One privacy risk is caused by accessing and sharing co-owned data items, i.e., when a user posts a data item that involves other users, some users' privacy may be disclosed, since users generally have di erent privacy preferences regarding who can access and share their data. Another risk is caused by the privacy settings o ered by OSNs that do not, in general, allow ne-grained enforcement, especially in cases where posted data items concern other users. We discuss and give examples of these issues, in order to illustrate their impacts on current OSNs' privacy protection mechanisms. We propose a collaborative access control framework to deal with such privacy issues. Basically, in our framework, the decision whether a user can access or share a co-owned data item is based on the aggregated opinion of all users involved. Our solution is based on the sensitivity level of users with respect to the concerned data item, the trust among users, the types of controllers (those who are concerned in making the collaborative decision) and the types of accessors (those who are identi ed to access a given data item or not). In order to observe how varying some of the parameters mentioned above in uence the outcome of the permitting/denying decision of the proposed solution, we provide an evaluation of our framework. We also present a proof-of-concept implementation of our approach in the open source OSN Diaspora.
MEGARA (Multi-Espectrógrafo en GTC de Alta Resolución para Astronomía) is an optical Integral-Field Unit (IFU)and Multi-Object Spectrograph (MOS) designed for the GTC 10.4m telescope in La Palma that is being built by a Consortium led by UCM (Spain) that also includes INAOE (Mexico), IAA-CSIC (Spain), and UPM (Spain). The instrument is currently finishing AIV and will be sent to GTC on November 2016 for its on-sky commissioning on April 2017. The MEGARA IFU fiber bundle (LCB) covers 12.5x11.3 arcsec 2 with a spaxel size of 0.62 arcsec while the MEGARA MOS mode allows observing up to 92 objects in a region of 3.5x3.5 arcmin 2 around the IFU.The IFU and MOS modes of MEGARA will provide identical intermediate-to-high spectral resolutions (R FWHM~6 ,000, 12,000 and 18,700, respectively for the low-, mid-and high-resolution Volume Phase Holographic gratings) in the range 3700-9800ÅÅ. An x-y mechanism placed at the pseudo-slit position allows (1) exchanging between the two observing modes and (2) focusing the spectrograph for each VPH setup. The spectrograph is a collimator-camera system that has a total of 11 VPHs simultaneously available (out of the 18 VPHs designed and being built) that are placed in the pupil by means of a wheel and an insertion mechanism. The custom-made cryostat hosts a 4kx4k 15-μm CCD. The unique characteristics of MEGARA in terms of throughput and versatility and the unsurpassed collecting are of GTC make of this instrument the most efficient tool to date to analyze astrophysical objects at intermediate spectral resolutions.In these proceedings we present a summary of the instrument characteristics and the results from the AIV phase. All subsystems have been successfully integrated and the system-level AIV phase is progressing as expected.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.