Security of two recent constant-round password authenticated group key exchange schemes

When humans interact with machines in their daily networks, it is important that security of the communications is offered, and where the involved shared secrets used to achieve this are easily remembered by humans. Password-based authenticated group key exchange (PAGKE) schemes allow group users to share a session key based on a human-memorizable password. In this paper, we consider two PAGKE schemes that build on the seminal scheme of Burmester and Desmedt. Weshow an undetectable online dictionary attack on the first scheme, and exploit the partnering definition to break the key indistinguishability of the second scheme

A Scalable Model for Secure Multiparty Authentication

Distributed system architectures such as cloud computing or the emergent architectures of the Internet Of Things, present significant challenges for security and privacy. Specifically, in a complex application there is a need to securely delegate access control mechanisms to one or more parties, who in turn can govern methods that enable multiple other parties to be authenticated in relation to the services that they wish to consume. We identify shortcomings in an existing proposal by Xu et al for multiparty authentication and evaluate a novel model from Al-Aqrabi et al that has been designed specifically for complex multiple security realm environments. The adoption of a Session Authority Cloud ensures that resources for authentication requests are scalable, whilst permitting the necessary architectural abstraction for myriad hardware IoT devices such as actuators and sensor networks, etc. In addition, the ability to ensure that session credentials are confirmed with the relevant resource principles means that the essential rigour for multiparty authentication is established

Decentralized Access Control in Distributed File Systems

The Internet enables global sharing of data across organizational boundaries. Distributed file systems facilitate data sharing in the form of remote file access. However, traditional access control mechanisms used in distributed file systems are intended for machines under common administrative control, and rely on maintaining a centralized database of user identities. They fail to scale to a large user base distributed across multiple organizations. We provide a survey of decentralized access control mechanisms in distributed file systems intended for large scale, in both administrative domains and users. We identify essential properties of such access control mechanisms. We analyze both popular production and experimental distributed file systems in the context of our survey

Shibboleth and the challenge of authentication in multiple servers on a e-learning environment

L' objectiu d’aquest treball és l’estudi, implementació i prova d'un sistema de autentificació compartida per a múltiples servidors. Encara que des d'un principi es sabia que es treballaria amb Shibboleth també s’han tingut en compte altres possibles solucions. Shibboleth és un projecte desenvolupat per els membres de les universitats que formen el consorci Internet2 amb l’ objectiu de desenvolupar un nou middleware per a realitzar les funcions d’autentificació compartida en múltiples servidors i pensat específicament per facilitar la col·laboració entre institucions i l’accés a continguts digitals. Shibboleth és una solució complerta ja que contempla des de l’autentificació , autorització i accounting, fins al sistema de login i els atributs a emprar. La qual cosa fa que es converteixi en un entorn de treball molt segur però amb l’avantatge d’aportar privacitat als usuaris. El primer objectiu ha estat identificar les peculiaritats i requeriments dels entorns de elearning distribuïts, per això s’ha estudiat conceptes específics de seguretat així com la manera d’adaptar-los a l’entorn requerit. Desprès s’ha fet una comparativa de les solucions existents al mercat amb una funcionalitat similar a Shibboleth, per tal de presentar els avantatges i desavantatges de Shibboleth vers aquests. Posteriorment, el treball ha consistit en entendre la estructura i els principis de funcionament de Shibboleth, quin tipus de requeriments tenia, el funcionament i objectius de cada part, estudiar els requeriments de l’entorn específic per al qual ha estat dissenyat (e-learning) i donar una idea general de com s’ hauria de fer la implementació. També s’han estudiat totes les tecnologies i requeriments necessaris per desenvolupar Shibboleth. Una vegada estudiat Shibboleth i l'entorn específic en el que s’hauria d’integrar, s’ha muntat un escenari per a la posada en marxa i proves d’aquest, provant específicament cada part i entenent amb les proves reals el funcionament. Amb l’escenari en funcionament, la idea era integrar Shibboleth amb Sakai i Blackboard, els CMS (Course Management System) utilitzats a on-campus, el campus virtual de la Fachhochschule Lübeck. Per a finalitzar i a mode de conclusions s'ha fet una petita explicació dels resultats obtinguts, una valoració de com Shibboleth resoldria les necessitats plantejades i algunes propostes de millora

Authentication for mobile computing

Host mobility is becoming an increasingly important feature with the recent arrival of laptop and palmtop computers, the development of wireless network interfaces and the implementation of global networks. Unfortunately, this mobile environment is also much more vulnerable to penetration by intruders. A possible means of protection can be authentication. This guarantees the identity of a communication peer. This thesis studies the constraints imposed on the mobile environment with respect to authentication. It compares the two prevailing authentication mechanisms, Kerberos and SPX, and tries to make suggestions of how a mechanism can be adapted to the mobile environment

WI-FI ALLIANCE HOTSPOT 2.0 SPECIFICATION BASED NETWORK DISCOVERY, SELECTION, AUTHENTICATION, DEPLOYMENT AND FUNCTIONALITY TESTS.

The demand for high mobile data transmission has been dramatically enlarged since there is a significant increase at the number of mobile communication devices that capable of providing high data rates. It is clearly observed that even the next generation cellular networks are not able to respond to this demand to provide the required level of mobile data transmission capacity. Although, WLAN responses to this demand by providing upwards of 600 Mbps data rates it is not convenient in terms of cellular like mobility and requires user intervention anytime of reconnection to a hotspot. Therefore, the need for a new technology took place and IEEE has introduced a new amendment to IEEE 802.11 standards family which is called as IEEE 802.11u. Based on IEEE 802.11u amendment, WFA developed WFA Hotspot 2.0 Specification and started to certify the Wi-Fi devices under Passpoint certification program. This new technology developed to provide Wi-Fi capable devices simply identify, select and associate to a Hotspot without any user intervention in a highly secure manner. As Hotspot 2.0 Specification is quite new in the market it has been a challenging work to reach some academic papers; however, IEEE 802.11u standard, Internet sources, white papers published by different companies/organizations and discussions with telecommunication experts have made this master thesis to achieve its goals. This thesis work provides a great resource for the network operators to have a great understanding of the Hotspot 2.0 Specification in terms of theory, network element requirements and deployment by providing a good understanding of the system functionality. In this paper, a comprehensive theoretical background that addresses to WLAN technology, Passpoint elements, and IEEE 802.11u based network discovery, selection and authentication is provided. Besides, Hotspot 2.0 network deployment scenarios with network core element requirements are designed and Passpoint functionality tests are performed under different scenarios by describing a comprehensive setup for the testing.fi=Opinnäytetyö kokotekstinä PDF-muodossa.|en=Thesis fulltext in PDF format.|sv=Lärdomsprov tillgängligt som fulltext i PDF-format