Matching Items (5)
Filtering by
- All Subjects: blockchain
- Creators: Doupe, Adam
Description
This thesis proposed a novel approach to establish the trust model in a social network scenario based on users' emails. Email is one of the most important social connections nowadays. By analyzing email exchange activities among users, a social network trust model can be established to judge the trust rate between each two users. The whole trust checking process is divided into two steps: local checking and remote checking. Local checking directly contacts the email server to calculate the trust rate based on user's own email communication history. Remote checking is a distributed computing process to get help from user's social network friends and built the trust rate together. The email-based trust model is built upon a cloud computing framework called MobiCloud. Inside MobiCloud, each user occupies a virtual machine which can directly communicate with others. Based on this feature, the distributed trust model is implemented as a combination of local analysis and remote analysis in the cloud. Experiment results show that the trust evaluation model can give accurate trust rate even in a small scale social network which does not have lots of social connections. With this trust model, the security in both social network services and email communication could be improved.
ContributorsZhong, Yunji (Author) / Huang, Dijiang (Thesis advisor) / Dasgupta, Partha (Committee member) / Syrotiuk, Violet (Committee member) / Arizona State University (Publisher)
Created2011
Description
Third-party mixers are used to heighten the anonymity of Bitcoin users. The mixing techniques implemented by these tools are often untraceable on the blockchain, making them appealing to money launderers. This research aims to analyze mixers currently available on the deep web. In addition, an in-depth case study is done on an open-source bitcoin mixer known as Penguin Mixer. A local version of Penguin Mixer was used to visualize mixer behavior under specific scenarios. This study could lead to the identification of vulnerabilities in mixing tools and detection of these tools on the blockchain.
ContributorsPakki, Jaswant (Author) / Doupe, Adam (Thesis director) / Shoshitaishvili, Yan (Committee member) / Computer Science and Engineering Program (Contributor, Contributor) / Barrett, The Honors College (Contributor)
Created2018-12
Description
E-Mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-Mail injection is possible when the mailing script fails to check for the presence of e-mail headers in user input (either form fields or URL parameters). The vulnerability exists in the reference implementation of the built-in “mail” functionality in popular languages like PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to inject additional headers and/or modify existing headers in an e-mail message, allowing an attacker to completely alter the content of the e-mail.
This thesis develops a scalable mechanism to automatically detect E-Mail Header Injection vulnerability and uses this mechanism to quantify the prevalence of E- Mail Header Injection vulnerabilities on the Internet. Using a black-box testing approach, the system crawled 21,675,680 URLs to find URLs which contained form fields. 6,794,917 such forms were found by the system, of which 1,132,157 forms contained e-mail fields. The system used this data feed to discern the forms that could be fuzzed with malicious payloads. Amongst the 934,016 forms tested, 52,724 forms were found to be injectable with more malicious payloads. The system tested 46,156 of these and was able to find 496 vulnerable URLs across 222 domains, which proves that the threat is widespread and deserves future research attention.
This thesis develops a scalable mechanism to automatically detect E-Mail Header Injection vulnerability and uses this mechanism to quantify the prevalence of E- Mail Header Injection vulnerabilities on the Internet. Using a black-box testing approach, the system crawled 21,675,680 URLs to find URLs which contained form fields. 6,794,917 such forms were found by the system, of which 1,132,157 forms contained e-mail fields. The system used this data feed to discern the forms that could be fuzzed with malicious payloads. Amongst the 934,016 forms tested, 52,724 forms were found to be injectable with more malicious payloads. The system tested 46,156 of these and was able to find 496 vulnerable URLs across 222 domains, which proves that the threat is widespread and deserves future research attention.
ContributorsChandramouli, Sai Prashanth (Author) / Doupe, Adam (Thesis advisor) / Ahn, Gail-Joon (Committee member) / Zhao, Ziming (Committee member) / Arizona State University (Publisher)
Created2016
Description
The traditional access control system suffers from the problem of separation of data ownership and management. It poses data security issues in application scenarios such as cloud computing and blockchain where the data owners either do not trust the data storage provider or even do not know who would have access to their data once they are appended to the chain. In these scenarios, the data owner actually loses control of the data once they are uploaded to the outside storage. Encryption-before-uploading is the way to solve this issue, however traditional encryption schemes such as AES, RSA, ECC, bring about great overheads in key management on the data owner end and could not provide fine-grained access control as well.
Attribute-Based Encryption (ABE) is a cryptographic way to implement attribute-based access control, which is a fine-grained access control model, thus solving all aforementioned issues. With ABE, the data owner would encrypt the data by a self-defined access control policy before uploading the data. The access control policy is an AND-OR boolean formula over attributes. Only users with attributes that satisfy the access control policy could decrypt the ciphertext. However the existing ABE schemes do not provide some important features in practical applications, e.g., user revocation and attribute expiration. Furthermore, most existing work focus on how to use ABE to protect cloud stored data, while not the blockchain applications.
The main objective of this thesis is to provide solutions to add two important features of the ABE schemes, i.e., user revocation and attribute expiration, and also provide a practical trust framework for using ABE to protect blockchain data. To add the feature of user revocation, I propose to add user's hierarchical identity into the private attribute key. In this way, only users whose identity is not revoked and attributes satisfy the access control policy could decrypt the ciphertext. To add the feature of attribute expiration, I propose to add the attribute valid time period into the private attribute key. The data would be encrypted by access control policy where all attributes have a temporal value. In this way, only users whose attributes both satisfy the access policy and at the same time these attributes do not expire,
are allowed to decrypt the ciphertext. To use ABE in the blockchain applications, I propose an ABE-enabled trust framework in a very popular blockchain platform, Hyperledger Fabric. Based on the design, I implement a light-weight attribute certificate authority for attribute distribution and validation; I implement the proposed ABE schemes and provide a toolkit which supports system setup, key generation,
data encryption and data decryption. All these modules were integrated into a demo system for protecting sensitive les in a blockchain application.
Attribute-Based Encryption (ABE) is a cryptographic way to implement attribute-based access control, which is a fine-grained access control model, thus solving all aforementioned issues. With ABE, the data owner would encrypt the data by a self-defined access control policy before uploading the data. The access control policy is an AND-OR boolean formula over attributes. Only users with attributes that satisfy the access control policy could decrypt the ciphertext. However the existing ABE schemes do not provide some important features in practical applications, e.g., user revocation and attribute expiration. Furthermore, most existing work focus on how to use ABE to protect cloud stored data, while not the blockchain applications.
The main objective of this thesis is to provide solutions to add two important features of the ABE schemes, i.e., user revocation and attribute expiration, and also provide a practical trust framework for using ABE to protect blockchain data. To add the feature of user revocation, I propose to add user's hierarchical identity into the private attribute key. In this way, only users whose identity is not revoked and attributes satisfy the access control policy could decrypt the ciphertext. To add the feature of attribute expiration, I propose to add the attribute valid time period into the private attribute key. The data would be encrypted by access control policy where all attributes have a temporal value. In this way, only users whose attributes both satisfy the access policy and at the same time these attributes do not expire,
are allowed to decrypt the ciphertext. To use ABE in the blockchain applications, I propose an ABE-enabled trust framework in a very popular blockchain platform, Hyperledger Fabric. Based on the design, I implement a light-weight attribute certificate authority for attribute distribution and validation; I implement the proposed ABE schemes and provide a toolkit which supports system setup, key generation,
data encryption and data decryption. All these modules were integrated into a demo system for protecting sensitive les in a blockchain application.
ContributorsDong, Qiuxiang (Author) / Huang, Dijiang (Thesis advisor) / Sen, Arunabha (Committee member) / Doupe, Adam (Committee member) / Arizona State University (Publisher)
Created2020
Description
The lack of fungibility in Bitcoin has forced its userbase to seek out tools that can heighten their anonymity. Third-party Bitcoin mixers utilize obfuscation techniques to protect participants from blockchain analysis. In recent years, various centralized and decentralized Bitcoin mixing implementations have been proposed in academic literature. Although these methods depict a threat-free environment for users to preserve their anonymity, public Bitcoin mixers continue to be associated with theft and poor implementation.
This research explores the public Bitcoin mixer ecosystem to identify if today's mixing services have adopted academically proposed solutions. This is done through real-world interactions with publicly available mixers to analyze both implementation and resistance to common threats in the mixing landscape. First, proposed decentralized and centralized mixing protocols found in literature are outlined. Then, data is presented from 19 publicly announced mixing services available on the deep web and clearnet. The services are categorized based on popularity with the Bitcoin community and experiments are conducted on five public mixing services: ChipMixer, MixTum, Bitcoin Mixer, CryptoMixer, and Sudoku Wallet.
The results of the experiments highlight a clear gap between public and proposed Bitcoin mixers in both implementation and security. Today's mixing services focus on presenting users with a false sense of control to gain their trust rather then employing secure mixing techniques. As a result, the five selected services lack implementation of academically proposed techniques and display poor resistance to common mixer-related threats.
This research explores the public Bitcoin mixer ecosystem to identify if today's mixing services have adopted academically proposed solutions. This is done through real-world interactions with publicly available mixers to analyze both implementation and resistance to common threats in the mixing landscape. First, proposed decentralized and centralized mixing protocols found in literature are outlined. Then, data is presented from 19 publicly announced mixing services available on the deep web and clearnet. The services are categorized based on popularity with the Bitcoin community and experiments are conducted on five public mixing services: ChipMixer, MixTum, Bitcoin Mixer, CryptoMixer, and Sudoku Wallet.
The results of the experiments highlight a clear gap between public and proposed Bitcoin mixers in both implementation and security. Today's mixing services focus on presenting users with a false sense of control to gain their trust rather then employing secure mixing techniques. As a result, the five selected services lack implementation of academically proposed techniques and display poor resistance to common mixer-related threats.
ContributorsPakki, Jaswant (Author) / Doupe, Adam (Thesis advisor) / Shoshitaishvili, Yan (Committee member) / Wang, Ruoyu (Committee member) / Arizona State University (Publisher)
Created2020