Design of Robust Authentication Protocols for Roaming Service in Glomonet and Mitigation of XSS Attacks in Web Applications

Abstract

Mobile devices have become an indispensable part of our daily lives due to the immense range of applications including communication, e-commerce, social networking, information sharing and so on. Progressively, mobile device permits to couple with other gadgets using Wi-Fi (Wireless Fidelity), Bluetooth and GPS (Global Positioning System) technologies to access the Internet services and other location based services. In this context, privacy and security issues are also raised. Users are able to access ubiquitous services over wireless and mobile networks. These mobility environments rely on open channel and make use of radio waves to transmit the information across the network. The messages transmitted over radio channels are susceptible to various attacks. In this environment, the adversaries can launch possible threats, including eavesdropping, masquerading, and tampering, which results in financial loss due to information leakage, stealing of passwords, etc. Hence, securing the network through ensuring authentication, confidentiality, maintaining the integrity of information being transmitted and stored is therefore essential. Authentication is the process of verifying a claimed identity. The authentication method can involve multiple factors with the level of security being proportional to the number and type of factors involved. The authentication system plays a crucial role in the context of GLObal MObility NETwork (GLOMONET) where Mobile User (MU) often need to seamless and secure roaming service over multiple Foreign Agents (FA). The possibility of several network threats can be found when a mobile user is unaware of the attacker or third party. Hence, promising the authentication of all communication entities in the mobile networks is essential, which is known as mutual authentication. In this thesis, we study the importance of authentication and key agreement mechanism for the roaming service in global mobility networks. Initially, the security strength of various authentication protocols in mobility networks have been analyzed and reveals that the existing protocols are vulnerable to well-known attacks. As a remedy, the seicure and robust authentication protocols for roaming service have been desinged. The proposed protocols have been proved to be secure using informal security analysis, Burrows-Abadi-Needham (BAN) logic, and also with the broadly-accepted formal security verification tool called Automated Validation of Internet Security Protocols and Applications (AVISPA). In order to provide the privacy-preserving mechanism in mobility environments, a DNA (Deoxyribo Nucleic Acid) based authentication protocol using Hyper Elliptic Curve Cryptosystem (HECC) has been introduced. Authentication using DNA cryptography prevents MU’s password cracking by mapping the plaintext password into a DNA sequence. Further, the proposed scheme replaces elliptic curve cryptosystem with HECC to provide the message confidentiality. HECC is very popular because of it’s smaller key length, operational efficiency, easily implementable in software and hardware platforms. In addition, the proposed DNA based authentication protocol is verified using ProVerif as a formal verification tool. The demonstration of the proposed authentication protocols are simulated using NS-2 simulator for various network performance parameters. Finally, the performance analysis and simulation results shows that the proposed authentication protocols is robust, computationally efficient and practically implementable in the resource-limited mobility environments. In this research, we also focus on the most common and dangerous attack named cross site scripting (XSS) in web applications. XSS attacks permit an attacker to execute the malicious scripts on the victim’s web browser resulting in various side-effects like data compromise, stealing of cookies, passwords, credit card numbers etc. Therefore, a secure XSS framework has been designed, in order to deal with malicious XSS vectors that reaches a browser from all possible routes.