An identity framework for providing access to FIWARE OAuth 2.0-based services according to the eIDAS European Regulation

Secure electronic identification (eID) is one of the key enablers of data protection, privacy, and the prevention of online fraud. However, until now, the lack of common legal basis prevented European Member States from recognizing and accepting eIDs issued in the other Member States. The electronic identification and trust services (eIDAS) regulation provides a solution to these issues by ensuring the cross-border mutual recognition of eIDs. FIWARE is a European initiative that provides a rather simple yet powerful set of application programming interfaces (APIs) that ease the development of smart applications in multiple vertical sectors and oriented to the future internet. In this paper, we propose a model that enables the connection of FIWARE OAuth 2.0-based services with the eID authentication provided by eIDAS reference. Thanks to this model, services already connected with an OAuth 2.0 identity provider can be automatically connected with eIDAS nodes for providing eID authentication to European citizens. For validating the proposed model, we have deployed an instance of the FIWARE identity manager connected to the Spanish eIDAS node. Then, we have registered two services, a private videoconferencing system, and a public smart city deployment, and extended their functionalities for enriching the user experience leveraging the eID authentication. We have evaluated the integration of both services in the eIDAS network with real users from seven different countries. We conclude that the proposed model facilitates the integration of generic and FIWARE-based OAuth 2.0 services to the eIDAS infrastructure, making the connection transparent for developers

Implementation of Role-Based Access Control on OAuth 2.0 as Authentication and Authorization

As today’s technology transition from monolithic towards microservices architecture, the authentication and authorization system also becomes a new concern because of the difference between monolithic and microservices pattern. Monolithic mostly uses role-based access control while microservices uses scope with OAuth 2.0. With this in mind, there is a need for a model that can integrate OAuth 2.0 with role-based access control. With rolebased access control implemented on OAuth 2.0, we expect a simpler authorization process and a more secure authentication and authorization system for microservices backend architecture. This paper proposes a model to implement role-based access control on OAuth 2.0 using Laravel framework, we also test the performance of the system following by response time, data transferred and throughput. From the performance test, this approach has a good performance and can handle certain requests with simulated users even with limited resources

Security Framework for the Web of IoT Platforms

Connected devices of IoT platforms are known to produce, process and exchange vast amounts of data, most of it sensitive or personal, that need to be protected. However, achieving minimal data protection requirements such as confidentiality, integrity, availability and non-repudiation in IoT platforms is a non-trivial issue. For one reason, the trillions of interacting devices provide larger attack surfaces. Secondly, high levels of personal and private data sharing in this ubiquitous and heterogeneous environment require more stringent protection. Additionally, whilst interoperability fuels innovation through cross-platform data flow, data ownership is a concern. This calls for categorizing data and providing different levels of access control to users known as global and local scopes. These issues present new and unique security considerations in IoT products and services that need to be addressed to enable wide adoption of the IoT paradigm. This thesis presents a security and privacy framework for the Web of IoT platforms that addresses end-to-end security and privacy needs of the platforms. It categorizes platforms’ resources into different levels of security requirements and provides appropriate access control mechanisms

Securing Personal IoT Platforms through Systematic Analysis and Design

Our homes, hospitals, cities, and industries are being enhanced with devices that have computational and networking capabilities. This emerging network of connected devices, or Internet of Things (IoT), promises better safety, enhanced management of patients, improved energy efficiency, and optimized manufacturing processes. Although there are many such benefits, security vulnerabilities in these systems can lead to user dissatisfaction (e.g., from random bugs), privacy violation (e.g., from stolen information), monetary loss (e.g., denial-of-service attacks or ``ransomware''), or even loss of life (e.g., from malicious actors manipulating critical processes in a hospital). Security design flaws may manifest at several layers of the IoT software/hardware stack. This work focuses on design flaws that arise in IoT platforms---software systems that manage devices, data analysis results and control logic. Specifically, we show that empirical security-oriented analyses of personal IoT platforms lead to: (1) an understanding of design flaws that can be leveraged in long-range and device-independent attacks; (2) the development of security mechanisms that limit the potential for these attacks. Concretely, we contribute empirical analyses for two categories of personal IoT platforms---Hub-Based (Samsung SmartThings), and Cloud-First (If-This-Then-That). Our analyses reveal overprivilege as a main enabler for attacks, and we propose a set of information flow control techniques (FlowFence and Decoupled-IFTTT) to manage privilege better in these platforms, therefore reducing the potential for attacks.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/137083/1/earlence_1.pd

Reduciendo la brecha de seguridad del IoT con una arquitectura de microservicios basada en TLS y OAuth2

The Internet of Things has emerged as one of the most promising trends today. The speed of its adoption, however, has caused certain gaps. Amongst the most critical there is the one related with the security of the systems involved. This project addressed the security problem in a broad way but focusing on smart-home environments, where the use of devices with widely heterogeneous technologies and multiple services, generates problems with authentication and with the confidentiality of the data, if the network is compromised. To tackle these problems, state-of-the-art technologies such as OAuth2 and TLS, among others, were put together, along with an architectural methodology of lightly coupled microservices. As a result, a secure and broad range IoT architecture was built, backed up and validated by a reference implementation. The division into functional layers enables both fixed and mobile devices and sensors, to get connected into the system transparently and fluently. The security scheme structured in three incremental levels enables a better device integration, at the level that best adapts to its computing resources and the type of information it shares. The results show the flexibility of the solution and the robustness and novelty of the security scheme presented.El Internet de las cosas es una de las tendencias más prometedoras en la actualidad. La rapidez de su adopción, sin embargo, ha provocado ciertas brechas críticas en la seguridad de los sistemas involucrados. Este proyecto analizó el problema de seguridad de una manera amplia, pero enfocándose en entornos de tipo hogar inteligente, donde el uso de dispositivos con tecnologías ampliamente heterogéneas genera problemas en la autenticación con múltiples servicios, y en la confidencialidad de los datos, si la red llegara a verse comprometida. Para atacar estos problemas, se juntaron tecnologías de última generación como OAuth2 y TLS, entre otras, junto a una metodología arquitectural de microservicios de acoplamiento ligero, para generar una arquitectura IoT segura y de amplio alcance, respaldada y validada por una implementación de referencia. La división en capas funcionales permite que tanto los dispositivos y sensores fijos como aquellos móviles, puedan acoplarse al sistema de manera transparente y fluida. El esquema de seguridad estructurado en tres niveles incrementales permite que cada equipo pueda integrarse al que mejor se adapte tanto a sus recursos computacionales como al tipo de información que debe entregar o consumir. Los resultados muestran la flexibilidad de la solución y la solidez del esquema de seguridad presentado

Authentication and Authorization for the front-end web developer

Traditional web pages are hosted and served through a web server that are executed in a web browser in the user’s devices. Advancement in technologies used to create web pages has led to a paradigm shift in web development, leading to concepts such as front-end and back-end. Browser-based technologies, particularly JavaScript, has seen enormous advancements in functionalities and capabilities. This led to a possibility of creating standalone web applications capable of running in the browser and relying on the back-end server only for data. This is corroborated by the rise and popularity of various JavaScript frameworks that are used by default when creating web applications in modern times. As code running on a web browser can be inspected by anyone, this led to a challenge in incorporating authentication and authorization. Particularly because storing user credentials and secrets on the web browser code is not secure in any way. This thesis explores and documents authentication and authorization methods that can be securely implemented in a front-end web application. Token-based authentication and authorization has become widely accepted as the solution. OpenID Connect and OAuth 2.0 protocols were explored, which are the most commonly used token-based solution for authentication and authorization. Furthermore, three use-cases were described that used token-based solutions in real world client projects

Multitenant Containers as a Service (CaaS) for Clouds and Edge Clouds

Cloud computing, offering on-demand access to computing resources through the Internet and the pay-as-you-go model, has marked the last decade with its three main service models; Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). The lightweight nature of containers compared to virtual machines has led to the rapid uptake of another in recent years, called Containers as a Service (CaaS), which falls between IaaS and PaaS regarding control abstraction. However, when CaaS is offered to multiple independent users, or tenants, a multi-instance approach is used, in which each tenant receives its own separate cluster, which reimposes significant overhead due to employing virtual machines for isolation. If CaaS is to be offered not just at the cloud, but also at the edge cloud, where resources are limited, another solution is required. We introduce a native CaaS multitenancy framework, meaning that tenants share a cluster, which is more efficient than the one tenant per cluster model. Whenever there are shared resources, isolation of multitenant workloads is an issue. Such workloads can be isolated by Kata Containers today. Besides, our framework esteems the application requirements that compel complete isolation and a fully customized environment. Node-level slicing empowers tenants to programmatically reserve isolated subclusters where they can choose the container runtime that suits application needs. The framework is publicly available as liberally-licensed, free, open-source software that extends Kubernetes, the de facto standard container orchestration system. It is in production use within the EdgeNet testbed for researchers