Security protocols for mobile ad hoc networks

Mobile ad hoc networks (MANETs) are generating much interest both in academia and the telecommunication industries. The principal attractions of MANETs are related to the ease with which they can be deployed due to their infrastructure-less and decentralized nature. For example, unlike other wireless networks, MANETs do not require centralized infrastructures such as base stations, and they are arguably more robust due to their avoidance of single point of failures. Interestingly, the attributes that make MANETs attractive as a network paradigm are the same phenomena that compound the challenge of designing adequate security schemes for these innovative networks.One of the challenging security problems is the issue of certificate revocation in MANETs where there are no on-line access to trusted authorities. In wired network environments, when certificates are to be revoked, certificate authorities (CAs) add the information regarding the certificates in question to certificate revocation lists (CRLs) and post the CRLs on accessible repositories or distribute them to relevant entities. In purely ad hoc networks, there are typically no access to centralized repositories or trusted authorities; therefore the conventional method of certificate revocation is not applicable.Another challenging MANET security problem is the issue of secure routing in the presence of selfish or adversarial entities which selectively drop packets they agreed to forward; and in so doing these selfish or adversarial entities can disrupt the network traffic and cause various communication problems.In this thesis, we present two security protocols we developed for addressing the above-mentioned MANET security needs. The first protocol is a decentralized certificate revocation scheme which allows the nodes within a MANET to have full control over the process of certificate revocation. The scheme is fully contained and it does not rely on any input from centralized or external entities such as trusted CAs. The second protocol is a secure MANET routing scheme we named Robust Source Routing (RSR). In addition to providing data origin authentication services and integrity checks, RSR is able to mitigate against intelligent, colluding malicious agents which selectively drop or modify packets they are required to forward

Security mechanisms for next-generation mobile networks

Basic concepts and definitions -- Motivation and research challenges -- Research objectives -- Mobile value-added service access -- UMTS access security -- DoS attacks in mobile networks -- A lightweight mobile service access based on reusable tickets -- Background work and motivation -- Service access through tickets -- System security analysis -- Comparisons with related work -- Enhancing UMTS AKA with vector combination -- Overview of UMTS AKA -- UMTS AKA weaknesses- -- Vector combination based AKA -- Security analysis of VC-AKA -- Mobility-oriented AKA in UMTS -- Mobility-oriented authentication -- Security analysis of MO-AKA -- A fine-grained puzzle against DOS attacks -- Quasi partial collision -- Fine-grained control over difficulties -- Lightweight to mobile devices -- Against replay attacks -- Confidentiality, integrity and user privacy

The IACS Cybersecurity Certification Framework (ICCF). Lessons from the 2017 study of the state of the art.

The principal goal of this report is to present the experiments of the IACS component Cybersecurity Certification Framework (ICCF) performed in 2017 by the NETs (National Exercise Teams) of several Member States, namely France, Poland and Spain. Based on real life use cases and simulations of ICCF activities, this report documents the current practices of these countries and NET members’ views in relation to IACS products cybersecurity certification. These studies have led to a series of findings that will be useful for the future of the ICCF in the context of the European Cybersecurity Certification Framework. In conclusion, a plan of action is proposed for the 2018-2019 period.JRC.E.2-Technology Innovation in Securit

Leveraging self-sovereign identity & distributed ledger technology in renewable energy certificate ecosystems

Renewable Energy Certificates (RECs) are tradable units that represent the commodity in the form of environmental attributes generated for each unit of electricity produced by a renewable energy source. Furthermore, the energy sector's digitalization ushers in new crucial enablers like Distributed Ledger Technology (DLT), which may be used for REC record tracking and trading. Unfortunately, there are a number of outstanding issues such as the lack of a common standard for the representation, communication, and verification of REC, reliance on centralized entities, and others. In order to harness the true potential of energy DLT and REC, it is imperative to address these issues. In this visionary article, we propose a holistic approach which leverages a novel decentralized identity mechanism called Self-sovereign Identity (SSI) and DLT. We present its architecture, based on a rigorous threat model and requirement analysis as well as detailed use-cases to illustrate how the architecture can be used in different REC use-cases

A policy-based security framework for ad-hoc networks

Imperial Users onl

A Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing

To ensure the privacy of users in transport systems, researchers are working on new protocols providing the best security guarantees while respecting functional requirements of transport operators. In this paper, we design a secure NFC m-ticketing protocol for public transport that preserves users' anonymity and prevents transport operators from tracing their customers' trips. To this end, we introduce a new practical set-membership proof that does not require provers nor verifiers (but in a specific scenario for verifiers) to perform pairing computations. It is therefore particularly suitable for our (ticketing) setting where provers hold SIM/UICC cards that do not support such costly computations. We also propose several optimizations of Boneh-Boyen type signature schemes, which are of independent interest, increasing their performance and efficiency during NFC transactions. Our m-ticketing protocol offers greater flexibility compared to previous solutions as it enables the post-payment and the off-line validation of m-tickets. By implementing a prototype using a standard NFC SIM card, we show that it fulfils the stringent functional requirement imposed by transport operators whilst using strong security parameters. In particular, a validation can be completed in 184.25 ms when the mobile is switched on, and in 266.52 ms when the mobile is switched off or its battery is flat

Architectures de réseaux pour la délivrance de services à domicile

Avec l’omniprésence au quotidien du numérique et de l’informatique, de plus en plus d’utilisateurs souhaitent avoir accès à Internet et à leurs applications via n’importe quel périphérique, de n’importe où et n’importe quand. Les appareils domestiques intelligents se développant, les besoins d’échanger des données au domicile même se font de plus en plus sentir. C’est dans ce contexte, celui des services à domicile avec besoin d’interconnexion que se situe notre étude. Ce type de service est qualifié de Home Service (HS) alors que le réseau à domicile est nommé Home Network (HN). La problématique pour les opérateurs est alors de concevoir des architectures appropriées à l’interconnexion des HN de manière sécurisée tout en permettant un déploiement facile et à grande échelle. Dans la première étape, nous considérons la livraison de services sécurisés à travers un réseau de nouvelle génération (NGN) : IMS (IP Multimedia Subsystem). IMS étant l’architecture de référence pour son caractère réseau NGN des opérateurs, diverses architectures peuvent être développées comme support aux HS. Nous avons choisi d'analyser et de mettre en place une architecture P2P centralisée et de le comparer à l’architecture de référence. Plusieurs mécanismes d'authentification sont mis en place autour du P2P centralisé afin de sécuriser la prestation de services. La modélisation et l’évaluation de notre proposition ont permis d’identifier sa relation à l’IMS mais aussi des problèmes inhérents aux solutions centralisées : la protection des données personnelles, l’impact de la taille sur réseau sur les performances, l’existence d’un point de faiblesse unique face aux attaques et la congestion au niveau du serveur centralisé. Par conséquent, nous nous sommes tournés vers les solutions distribuées pour résoudre ces problèmes. Dans la deuxième étape, nous considérons l’architecture P2P non-structurée, qualifiée de pur P2P. La cryptographie basée sur l'identité (IBC) est ajoutée au P2P pur afin d’authentifier les utilisateurs et de protéger leurs communications. Pour chacune des solutions une analyse du coût de signalisation est effectuée révélant une faiblesse en ce qui concerne l’étape de recherche. Dans un déploiement à grande échelle, le coût de cette phase est trop élevé. Aussi, nous examinons le P2P structuré basé sur les Dynamic Hash Tables, une autre solution distribuée. Cette architecture est étudiée par l'IETF en tant qu’une des dernières générations de P2P: REsource LOcation And Discovery (RELOAD) Base Protocol. Nous proposons son utilisation dans le cadre des HSs. Comme preuve du concept, cette solution a été implantée et déployée sur un petit réseau en utilisant TLS/SSL comme mécanisme de sécurité. Cette plateforme nous a permis d’étudier les délais et les coûts de cette solution. Pour terminer, un bilan est établi sur toutes les solutions proposées En outre, nous introduisons d’autres types de HS et leurs possibilités de déploiement futur. ABSTRACT : With digital life enhancement, more users would like to get seamless Internet and information with any devices, at any time and from anywhere. More and more home devices need to exchange data or to control other devices. The type of services is labelled Home Service (HS) and it is deployed though a Home Network (HN). Some users need to use their HS outside their HN, some others need to interconnect other HN. Operators have to provide suitable network architectures to ensure this interconnection and to provide at the same time, scalability, remote access, easy deployment and security. Here is the topic of our work. In the fist step, we consider a practical illustration around the Next-Generation Network (NGN) and the secured services. It is the IMS (IP Multimedia Subsystem) approach for the management of services that is generally supported by the NGN network operators. However, various network operator architectures can be developed to support these services. An alternative way is the P2P architectures. We choose to analyze and implement a centralized P2P and we compare it with the IMS solution. Several authentication mechanisms are introduced to secure the centralized P2P. An evaluation of these architectures is conducted. Since the previous solutions present some issues due to their centralized feature, we consider distributed solutions in a second step. The non-structured P2P, called pure P2P, can also support HS. Identity Based Crytography (IBC) is added to these architectures in order to offer authentication and protection to user communications. The different solutions are compared through their signaling and transmission cost. The study shows that searching step in this architecture is really costly, facing a scalability problem. Thus, we propose to use a structured P2P (called Dynamic Hash Table) for delivering HS between HN. This type of architecture is studied by IETF with the REsource Location And Discovery (RELOAD) Base Protocol. This solution is implanted and deployed here to be a proof of the concept. This test-bed enables the study of delay and security overhead in a real system. Eventually, the presented solutions are recaptured in order to see their advantages/ disadvantages. In addition, we introduce other perspectives in terms of HSs and network interconnection

Rule-based conditional trust with OpenPGP.

This thesis describes a new trust model for OpenPGP encryption. This trust model uses conditional rule-based trust to establish key validity and trust. This thesis describes Trust Rules that may be used to sort and categorize keys automatically without user interaction. Trust Rules are also capable of integrating key revocation status into its calculations so it too is automated. This thesis presents that conditional trust established through Trust Rules can enforce stricter security while reducing the burden of use and automating the process of key validity, trust, and revocation

Xarxa mesh privada virtual

Aquest projecte ens apropa als conceptes com les xarxes privades virtuals, els serveis de seguretat (xifrar el tràfic, validar la integritat, autentificar els extrems, evitar el repudi i evitar la repetició) i les aplicacions distribuïdes (peer to peer). Avui en dia, la funció de permetre la unió de diferents ordenadors o xarxes locals en una nova xarxa virtual, pot ser aprofitada per poder abstraure’s de les barreres imposades per IPv4 com la limitació d’adreçament públic. El fet d’afegir la component de privacitat permet forçar un entorn segur, de confiança i independent del que puguin aportar les aplicacions. El conjunt de la creació de xarxes virtuals amb la component de privacitat permet la creació de xarxes privades virtuals també anomenades VPNs. L’objectiu d’aquest projecte és dissenyar i implementar una aplicació capaç de crear xarxes privades virtuals que no depenguin de cap servidor central, sense que això comprometi la privacitat ni l’autenticació dels integrants de la xarxa. L’aplicació ha de ser capaç de superar els Routers NAT (que tradueixen les adreces IP permetent compartir una adreça pública entre diferents ordenadors) per tal d’establir connexions bidireccionals directament amb els veïns de la xarxa virtual, proporcionant així una baixa latència. En fer els tests inicials es va trobar un problema relacionat amb la implementació de la llibreria OpenSSL del protocol segur utilitzat. Aquest error es presenta malgrat que aparentment l’aplicació fa un bon ús d’aquesta llibreria. Aquest problema ha consumit molt temps de dedicació del projecte sense poder ser solucionat. Com a resultats dels tests de l’aplicació creada en comparació amb les de les altres aplicacions existents: aquesta realitza una inicialització breu, te una latència baixa juntament amb una desviació estàndard molt baixa i permet taxes de transferència altes en TCP i baixes en UDP. Aquest document comença amb una introducció a les xarxes privades virtuals i al projecte.Seguidament, en el primer capítol s’exposa la descripció i la comparativa de les tecnologies de xarxes privades virtuals existents. En el segon s’explica el funcionament, el disseny i l’arquitectura de l’aplicació creada. En el tercer es presenten els resultats de les proves realitzades amb l’aplicació creada. I finalment hi ha les conclusions, la bibliografia i el glossari