Security Framework for the Web of IoT Platforms

Connected devices of IoT platforms are known to produce, process and exchange vast amounts of data, most of it sensitive or personal, that need to be protected. However, achieving minimal data protection requirements such as confidentiality, integrity, availability and non-repudiation in IoT platforms is a non-trivial issue. For one reason, the trillions of interacting devices provide larger attack surfaces. Secondly, high levels of personal and private data sharing in this ubiquitous and heterogeneous environment require more stringent protection. Additionally, whilst interoperability fuels innovation through cross-platform data flow, data ownership is a concern. This calls for categorizing data and providing different levels of access control to users known as global and local scopes. These issues present new and unique security considerations in IoT products and services that need to be addressed to enable wide adoption of the IoT paradigm. This thesis presents a security and privacy framework for the Web of IoT platforms that addresses end-to-end security and privacy needs of the platforms. It categorizes platforms’ resources into different levels of security requirements and provides appropriate access control mechanisms

Protection of Information and Communications in Distributed Systems and Microservices

Distributed systems have been a topic of discussion since the 1980s, but the adoption of microservices has raised number of system components considerably. With more decentralised distributed systems, new ways to handle authentication, authorisation and accounting (AAA) are needed, as well as ways to allow components to communicate between themselves securely. New standards and technologies have been created to deal with these new requirements and many of them have already found their way to most used systems and services globally. After covering AAA and separate access control models, we continue with ways to secure communications between two connecting parties, using Transport Layer Security (TLS) and other more specialised methods such as the Google-originated Secure Production Identity Framework for Everyone (SPIFFE). We also discuss X.509 certificates for ensuring identities. Next, both older time- tested and newer distributed AAA technologies are presented. After this, we are looking into communication between distributed components with both synchronous and asynchronous communication mechanisms, as well as into the publish/subscribe communication model popular with the rise of the streaming platform. This thesis also explores possibilities in securing communications between distributed endpoints and ways to handle AAA in a distributed context. This is showcased in a new software component that handles authentication through a separate identity endpoint using the OpenID Connect authentication protocol and stores identity in a Javascript object-notation formatted and cryptographically signed JSON Web Token, allowing stateless session handling as the token can be validated by checking its signature. This enables fast and scalable session management and identity handling for any distributed system

Federated identity architecture of the european eID system

Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in midterm also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments

Cryptographic methods for authentication and authorization

Uz sve prednosti koje dolaze s globalnim povezivanjem, sigurnost informacija je postala problem. Zbog toga postoje različite kriptografske metode koje pružaju korisnicima određenu razinu sigurnosti bez da utječu na njihovo korisničko iskustvo. SASL mehanizmi su jedni od tih sigurnosnih mjera koje štite korisnike i njihove informacije. Postoje različiti mehanizmi s različitim razinama sigurnosti koje pružaju. Jedni od najpoznatijih mehanizama su OTP i OAuth mehanizam koji su široko rasprostranjeni i pružaju najbolju sigurnost svojim korisnicima. Budući mehanizmi trebali bi svakako obratiti pažnju na propuste koje sadašnji mehanizmi imaju, kao što je loša zaštićenost integriteta podataka i povjerljivosti podataka. Također, budući mehanizmi će nastojati implementirati složenije metode autentikacije, kao što je to biometrijska autentikacija. S razvojem tehnologija, sigurnost će biti izložena novim napadima, ali to je također prilika za razvoj boljih i bržih metoda za autentikaciju i autorizaciju.With all the good aspects that come from global connection, there is an issue of information security. That is the reason why there are many different cryptographic methods that provide users with a certain level of security without affecting their user experience. SASL mechanisms are one of those security measures that protect users and their information. There are a lot of different mechanisms with different security levels. The most popular mechanisms are OTP and OAuth mechanisms that are used wide and provide their users with the best security. Future mechanisms should pay attention to flaws of current mechanism that have bad security for data integrity and data confidentiality. Also, future mechanisms should try to implement more complex authentication methods, like biometric authentication. With growth of technology, security will get exposed to new attacks but that is also an opportunity to develop better and faster methods for authentication and authorization

Cryptographic methods for authentication and authorization

Uz sve prednosti koje dolaze s globalnim povezivanjem, sigurnost informacija je postala problem. Zbog toga postoje različite kriptografske metode koje pružaju korisnicima određenu razinu sigurnosti bez da utječu na njihovo korisničko iskustvo. SASL mehanizmi su jedni od tih sigurnosnih mjera koje štite korisnike i njihove informacije. Postoje različiti mehanizmi s različitim razinama sigurnosti koje pružaju. Jedni od najpoznatijih mehanizama su OTP i OAuth mehanizam koji su široko rasprostranjeni i pružaju najbolju sigurnost svojim korisnicima. Budući mehanizmi trebali bi svakako obratiti pažnju na propuste koje sadašnji mehanizmi imaju, kao što je loša zaštićenost integriteta podataka i povjerljivosti podataka. Također, budući mehanizmi će nastojati implementirati složenije metode autentikacije, kao što je to biometrijska autentikacija. S razvojem tehnologija, sigurnost će biti izložena novim napadima, ali to je također prilika za razvoj boljih i bržih metoda za autentikaciju i autorizaciju.With all the good aspects that come from global connection, there is an issue of information security. That is the reason why there are many different cryptographic methods that provide users with a certain level of security without affecting their user experience. SASL mechanisms are one of those security measures that protect users and their information. There are a lot of different mechanisms with different security levels. The most popular mechanisms are OTP and OAuth mechanisms that are used wide and provide their users with the best security. Future mechanisms should pay attention to flaws of current mechanism that have bad security for data integrity and data confidentiality. Also, future mechanisms should try to implement more complex authentication methods, like biometric authentication. With growth of technology, security will get exposed to new attacks but that is also an opportunity to develop better and faster methods for authentication and authorization

Integrating an AAA-based federation mechanism for OpenStack - The CLASSe view

Identity federations enable users, service providers, and identity providers from different organizations to exchange authentication and authorization information in a secure way. In this paper, we present a novel identity federation architecture for cloud services based on the integration of a cloud identity management service with an authentication, authorization, and accounting infrastructure. Specifically, we analyse how this type of authentication, authorization, and accounting–based federation can be smoothly integrated into OpenStack, the leading open source cloud software solution, using the Internet Engineering Task Force (IETF) Application Bridging for Federated Access Beyond web specification for authentication and authorization. We provide details of the implementation undertaken in GÉANT's CLASSe project and show its validation in a real testbed

Token Based Authentication and Authorization with Zero-Knowledge Proofs for Enhancing Web API Security and Privacy

This design science study showcases an innovative artifact that utilizes Zero-Knowledge Proofs for API Authentication and Authorization. A comprehensive examination of existing literature and technology is conducted to evaluate the effectiveness of this alternative approach. The study reveals that existing APIs are using slower techniques that don’t scale, can’t take advantage of newer hardware, and have been unable to adequately address current security issues. In contrast, the novel technique presented in this study performs better, is more resilient in privacy sensitive and security settings, and is easy to implement and deploy. Additionally, this study identifies potential avenues for further research that could help advance the field of Web API development in terms of security, privacy, and simplicity