93 research outputs found
Trust Building and Usage Control for Electronic Business Processes
Information technology (IT) supports companies to streamline their business processes. The main contributions of IT are the digitalization of data and efficient communication networks, which allow companies to automatize their business processes and thus increase their efficiency, i.e., their value creation. This effort started with the optimization of internal business processes within a company. Nowadays, it also includes external business processes, in which multiple enterprises and even customers are involved. However, using IT also causes undesirable side effects for companies. They are exposed to a wide range of vulnerabilities and threats. Digitalizing data, e.g., documents, spurs the access to that data and the exchange of it. However, a disadvantageous result of digitalizing data is the increased risk of unauthorized access to that data. Communication networks provide an excellent foundation for collaboration between companies. At the same time, the open and anonymous character of communication networks is a reason for distrust towards business partners offering their goods and services over such networks. As a result of these undesirable side effects, the outcome of a certain business process supported by IT may be suboptimal or companies may refrain from using IT. Against this background, this thesis focuses on securing electronic business processes with regard to two aspects, i.e., building trust in open networks and controlling the usage of digital objects. Trust is the prerequisite for all kinds of commercial transactions. Using reputation information is one possible way to build up trust among business partners. In this thesis, we propose two new reputation systems to establish trust for ad-hoc processes in open markets. The first reputation system facilitates trust building in the context of electronic negotiations which are performed with the help of a centralized system. The reputation system enables companies to find trustworthy business partners and provides decision support during a negotiation. The second reputation system supports trust building in decentralized Peer-to-Peer (P2P) networks. A main feature of this system is its robustness against coalition attacks, which is proven with the help of a simulation. Controlling the usage of digital objects demands two functionalities. First, we need methods for defining usage rules. Second, mechanisms for enforcing the defined usage rules are required. In this thesis, we address both aspects of usage control. Digital documents play a central role in business processes, since they are a means of integration and are handled among business partners. Some documents are sensitive and thus have to be protected from being accessed by unauthorized parties. For this purpose, we propose a flexible and expressive access control model for electronic documents. Our model captures the information about the operations performed on documents. This history information can be used to define access control rules. Customers are involved in the execution of special kinds of business processes, such as selling and consuming digital goods. In these cases, digital goods have to be protected from being used in an unauthorized way, e.g., being shared in public networks. Thus, the trustworthiness of customers' platforms has to be verified before transferring digital goods. For this, we propose a robust integrity reporting protocol which is necessary when a remote platform has to perform security relevant operations, e.g., to enforce a security policy which controls the usage of digital content. This integrity reporting protocol is a building block of a new Digital Rights Management system which is also presented in this thesis. This system provides a high protection level. At the same time, it allows users to transfer their purchased content to other devices or users.
Demystifying Internet of Things Security
Break down the misconceptions of the Internet of Things by examining the different security building blocks available in Intel Architecture (IA) based IoT platforms. This open access book reviews the threat pyramid, secure boot, chain of trust, and the SW stack leading up to defense-in-depth. The IoT presents unique challenges in implementing security and Intel has both CPU and Isolated Security Engine capabilities to simplify it. This book explores the challenges to secure these devices to make them immune to different threats originating from within and outside the network. The requirements and robustness rules to protect the assets vary greatly and there is no single blanket solution approach to implement security. Demystifying Internet of Things Security provides clarity to industry professionals and provides and overview of different security solutions What You'll Learn Secure devices, immunizing them against different threats originating from inside and outside the network Gather an overview of the different security building blocks available in Intel Architecture (IA) based IoT platforms Understand the threat pyramid, secure boot, chain of trust, and the software stack leading up to defense-in-depth Who This Book Is For Strategists, developers, architects, and managers in the embedded and Internet of Things (IoT) space trying to understand and implement the security in the IoT devices/platforms
Security, Trust and Privacy (STP) Model for Federated Identity and Access Management (FIAM) Systems
The federated identity and access management systems facilitate the home domain
organization users to access multiple resources (services) in the foreign domain
organization by web single sign-on facility. In federated environment the user’s
authentication is performed in the beginning of an authentication session and allowed
to access multiple resources (services) until the current session is active. In current
federated identity and access management systems the main security concerns are: (1)
In home domain organization machine platforms bidirectional integrity measurement
is not exist, (2) Integrated authentication (i.e., username/password and home domain
machine platforms mutual attestation) is not present and (3) The resource (service)
authorization in the foreign domain organization is not via the home domain machine
platforms bidirectional attestation
Attestation in Trusted Computing: Challenges and Potential Solutions
This report examines the state of play in TCG attestation. It asks the question: how practical is the attestation specification and does it meet the needs of designs that propose to take advantage of trusted computing functionality? It is shown that, broadly speaking, both specification and implementation falls short of its stated goals. Application designs expect different semantics. Straightforward application of attestation to a running system does not provide adequate assurance nor does it scale. It is argued that extending the TCG architecture and reworking application designs are the most viable routes to making attestation a practical proposition
Who Can Find My Devices? Security and Privacy of Apple's Crowd-Sourced Bluetooth Location Tracking System
Overnight, Apple has turned its hundreds-of-million-device ecosystem into the
world's largest crowd-sourced location tracking network called offline finding
(OF). OF leverages online finder devices to detect the presence of missing
offline devices using Bluetooth and report an approximate location back to the
owner via the Internet. While OF is not the first system of its kind, it is the
first to commit to strong privacy goals. In particular, OF aims to ensure
finder anonymity, untrackability of owner devices, and confidentiality of
location reports. This paper presents the first comprehensive security and
privacy analysis of OF. To this end, we recover the specifications of the
closed-source OF protocols by means of reverse engineering. We experimentally
show that unauthorized access to the location reports allows for accurate
device tracking and retrieving a user's top locations with an error in the
order of 10 meters in urban areas. While we find that OF's design achieves its
privacy goals, we discover two distinct design and implementation flaws that
can lead to a location correlation attack and unauthorized access to the
location history of the past seven days, which could deanonymize users. Apple
has partially addressed the issues following our responsible disclosure.
Finally, we make our research artifacts publicly available.Comment: Accepted at Privacy Enhancing Technologies Symposium (PETS) 202
Recommended from our members
Twenty security considerations for cloud-supported Internet of Things
To realise the broad vision of pervasive computing,
underpinned by the “Internet of Things” (IoT), it is essential to
break down application and technology-based silos and support
broad connectivity and data sharing; the cloud being a natural
enabler. Work in IoT tends towards the subsystem, often focusing
on particular technical concerns or application domains, before
offloading data to the cloud. As such, there has been little regard
given to the security, privacy and personal safety risks that arise
beyond these subsystems; that is, from the wide-scale, crossplatform
openness that cloud services bring to IoT.
In this paper we focus on security considerations for IoT from
the perspectives of cloud tenants, end-users and cloud providers,
in the context of wide-scale IoT proliferation, working across
the range of IoT technologies (be they things or entire IoT
subsystems). Our contribution is to analyse the current state of
cloud-supported IoT to make explicit the security considerations
that require further work.This work was supported by UK Engineering and Physical Sciences
Research Council grant EP/K011510 CloudSafetyNet:
End-to-End Application Security in the Cloud and Microsoft
through the Microsoft Cloud Computing Research Centre
A Survey on Wireless Sensor Network Security
Wireless sensor networks (WSNs) have recently attracted a lot of interest in
the research community due their wide range of applications. Due to distributed
nature of these networks and their deployment in remote areas, these networks
are vulnerable to numerous security threats that can adversely affect their
proper functioning. This problem is more critical if the network is deployed
for some mission-critical applications such as in a tactical battlefield.
Random failure of nodes is also very likely in real-life deployment scenarios.
Due to resource constraints in the sensor nodes, traditional security
mechanisms with large overhead of computation and communication are infeasible
in WSNs. Security in sensor networks is, therefore, a particularly challenging
task. This paper discusses the current state of the art in security mechanisms
for WSNs. Various types of attacks are discussed and their countermeasures
presented. A brief discussion on the future direction of research in WSN
security is also included.Comment: 24 pages, 4 figures, 2 table
- …