Mobile Authentication Assurance Statement (MAAS) Draft Specification

Authentication assurance is a statement of the level of protection that the authenticator enforces to assure that a user retains control of the credentials used in authentication. Protected secret credentials enable user authentication at high levels of assurance. This specification describes the format of a message for mobile assurance along with a healthcare provider use case, involving the user’s acquisition and operation of an app on a smartphone that uses the statement in an authentication protocol

EOSC Authentication and Authorization Infrastructure (AAI) : Report from the EOSC Executive Board Working Group (WG) Architecture AAI Task Force (TF)

The EOSC Architecture Working Group has assigned the AAI Task Force (AAI TF) the task to establish a common global ecosystem for identity and access control infrastructures for the European Open Science Cloud (EOSC). Since the EOSC is part of an international environment of research and education, the principles established by the EOSC AAI subtask must be globally viable. The EOSC AAI TF has produced a set of deliverables: - EOSC AAI First Principles & Requirements - EOSC AAI Baseline Architecture - EOSC AAI Federation participation guidelines (participation policy and technical framework) - EOSC AAI Best Practise

Wireless communication technologies for the Internet of Things

Internet of Things (IoT) is the inter-networking paradigm based on many processes such as identifying, sensing, networking and computation. An IoT technology stack provides seamless connectivity between various physical and virtual objects. The increasing number of IoT applications leads to the issue of transmitting, storing, and processing a large amount of data. Therefore, it is necessary to enable a system capable to handle the growing traffic requirements with the required level of QoS (Quality of Service). IoT devices become more complex due to the various components such as sensors and network interfaces. The IoT environment is often demanding for mobile power source, QoS, mobility, reliability, security, and other requirements. Therefore, new IoT technologies are required to overcome some of these issues. In recent years new wireless communication technologies are being developed to support the development of new IoT applications. This paper provides an overview of some of the most widely used wireless communication technologies used for IoT applications

Multitenant Containers as a Service (CaaS) for Clouds and Edge Clouds

Cloud computing, offering on-demand access to computing resources through the Internet and the pay-as-you-go model, has marked the last decade with its three main service models; Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). The lightweight nature of containers compared to virtual machines has led to the rapid uptake of another in recent years, called Containers as a Service (CaaS), which falls between IaaS and PaaS regarding control abstraction. However, when CaaS is offered to multiple independent users, or tenants, a multi-instance approach is used, in which each tenant receives its own separate cluster, which reimposes significant overhead due to employing virtual machines for isolation. If CaaS is to be offered not just at the cloud, but also at the edge cloud, where resources are limited, another solution is required. We introduce a native CaaS multitenancy framework, meaning that tenants share a cluster, which is more efficient than the one tenant per cluster model. Whenever there are shared resources, isolation of multitenant workloads is an issue. Such workloads can be isolated by Kata Containers today. Besides, our framework esteems the application requirements that compel complete isolation and a fully customized environment. Node-level slicing empowers tenants to programmatically reserve isolated subclusters where they can choose the container runtime that suits application needs. The framework is publicly available as liberally-licensed, free, open-source software that extends Kubernetes, the de facto standard container orchestration system. It is in production use within the EdgeNet testbed for researchers

Segurança e privacidade em terminologia de rede

Security and Privacy are now at the forefront of modern concerns, and drive a significant part of the debate on digital society. One particular aspect that holds significant bearing in these two topics is the naming of resources in the network, because it directly impacts how networks work, but also affects how security mechanisms are implemented and what are the privacy implications of metadata disclosure. This issue is further exacerbated by interoperability mechanisms that imply this information is increasingly available regardless of the intended scope. This work focuses on the implications of naming with regards to security and privacy in namespaces used in network protocols. In particular on the imple- mentation of solutions that provide additional security through naming policies or increase privacy. To achieve this, different techniques are used to either embed security information in existing namespaces or to minimise privacy ex- posure. The former allows bootstraping secure transport protocols on top of insecure discovery protocols, while the later introduces privacy policies as part of name assignment and resolution. The main vehicle for implementation of these solutions are general purpose protocols and services, however there is a strong parallel with ongoing re- search topics that leverage name resolution systems for interoperability such as the Internet of Things (IoT) and Information Centric Networks (ICN), where these approaches are also applicable.Segurança e Privacidade são dois topicos que marcam a agenda na discus- são sobre a sociedade digital. Um aspecto particularmente subtil nesta dis- cussão é a forma como atribuímos nomes a recursos na rede, uma escolha com consequências práticas no funcionamento dos diferentes protocols de rede, na forma como se implementam diferentes mecanismos de segurança e na privacidade das várias partes envolvidas. Este problema torna-se ainda mais significativo quando se considera que, para promover a interoperabili- dade entre diferentes redes, mecanismos autónomos tornam esta informação acessível em contextos que vão para lá do que era pretendido. Esta tese foca-se nas consequências de diferentes políticas de atribuição de nomes no contexto de diferentes protocols de rede, para efeitos de segurança e privacidade. Com base no estudo deste problema, são propostas soluções que, através de diferentes políticas de atribuição de nomes, permitem introdu- zir mecanismos de segurança adicionais ou mitigar problemas de privacidade em diferentes protocolos. Isto resulta na implementação de mecanismos de segurança sobre protocolos de descoberta inseguros, assim como na intro- dução de mecanismos de atribuiçao e resolução de nomes que se focam na protecçao da privacidade. O principal veículo para a implementação destas soluções é através de ser- viços e protocolos de rede de uso geral. No entanto, a aplicabilidade destas soluções extende-se também a outros tópicos de investigação que recorrem a mecanismos de resolução de nomes para implementar soluções de intero- perabilidade, nomedamente a Internet das Coisas (IoT) e redes centradas na informação (ICN).Programa Doutoral em Informátic

An Interoperable Access Control System based on Self-Sovereign Identities

The extreme growth of the World Wide Web in the last decade together with recent scandals related to theft or abusive use of personal information have left users unsatisfied withtheir digital identity providers and concerned about their online privacy. Self-SovereignIdentity (SSI) is a new identity management paradigm which gives back control over personal information to its rightful owner - the individual. However, adoption of SSI on theWeb is complicated by the high overhead costs for the service providers due to the lackinginteroperability of the various emerging SSI solutions. In this work, we propose an AccessControl System based on Self-Sovereign Identities with a semantically modelled AccessControl Logic. Our system relies on the Web Access Control authorization rules usedin the Solid project and extends them to additionally express requirements on VerifiableCredentials, i.e., digital credentials adhering to a standardized data model. Moreover,the system achieves interoperability across multiple DID Methods and types of VerifiableCredentials allowing for incremental extensibility of the supported SSI technologies bydesign. A Proof-of-Concept prototype is implemented and its performance as well as multiple system design choices are evaluated: The End-to-End latency of the authorizationprocess takes between 2-5 seconds depending on the used DID Methods and can theoretically be further optimized to 1.5-3 seconds. Evaluating the potential interoperabilityachieved by the system shows that multiple DID Methods and different types of VerifiableCredentials can be supported. Lastly, multiple approaches for modelling required Verifiable Credentials are compared and the suitability of the SHACL language for describingthe RDF graphs represented by the required Linked Data credentials is shown

Service level agreements in spatial data infrastructures

Die vorliegende Arbeit entwickelt ein Konzept für die Integration von Service Level Agreements (SLAs) in Geodateninfrastrukturen (GDIs). Der ausgewählten mehrstufigen Ansatz beinhaltet die Entwicklung eines abstrakten SLA-Modells und einer web-basierten SLA-Management-Architektur. Das Ziel des abstrakten SLA-Modells ist die konzeptionelle Beschreibung der Struktur und des Inhaltes von SLAs speziell für die ausgewählten Anwendungsbereiche. Der Zweck der web-basierten SLA-Management-Architektur ist es, die (Online-) Aushandlung von SLAs in bereits existierenden GDIs zu ermöglichen, ohne dass eine vorherige (Offline-) Kommunikation zwischen Dienstanbieter und Dienstnutzer vonnöten ist. Der gewählte Policy-basierte Ansatz deckt nicht nur die Aushandlung von SLAs und die eigentliche Dienstnutzung ab, es wird der vollständige Lebenszyklus von SLAs unterstützt. Dazu gehört sowohl die permanente Überwachung der angebotenen Dienste als auch die permanente Evaluierung aller aktiven SLAs.This thesis develops a concept for the integration of Service Level Agreements (SLAs) in Spatial Data Infrastructure (SDIs). The selected multi-step approach involves the development of an abstract SLA model and a web-based SLA management architecture. The aim of the abstract SLA model is to describe the domain-specific structure and content of SLAs that can be applied in SDIs from a conceptual point of view. The purpose of the web-based SLA management architecture is to enable the on-demand and online negotiation of SLAs in established SDIs without the need of prior offline communication between service providers and service consumers. The selected policy-based approach covers not only agreement negotiation and service consumption, but also the complete agreement life cycle including service monitoring and agreement evaluation.<br/

Privacy-aware Biometric Blockchain based e-Passport System for Automatic Border Control

In the middle of 1990s, World Wide Web technology initially steps into our life. Now, 30 years after that, widespread internet access and established computing technology bring embodied real life into Metaverse by digital twin. Internet is not only blurring the concept of physical distance, but also blurring the edge between the real and virtual world. Another breakthrough in computing is the blockchain, which shifts the root of trust attached to a system administrator to the computational power of the system. Furthermore, its favourable properties such as immutable time-stamped transaction history and atomic smart contracts trigger the development of decentralized autonomous organizations (DAOs). Combining above two, this thesis presents a privacy-aware biometric Blockchain based e-passport system for automatic border control(ABC), which aims for improving the efficiency of existing ABC system. Specifically, through constructing a border control Metaverse DAO, border control workload can be autonomously self-executed by atomic smart contracts as transaction and then immutably recorded on Blockchain. What is more, to digitize border crossing documentation, biometric Blockchain based e-passport system(BBCVID) is created to generate an immutable real-world identity digital twin in the border control Metaverse DAO through Blockchain and biometric identity authentication. That is to say, by digitizing border crossing documentation and automatizing both biometric identity authentication and border crossing documentation verification, our proposal is able to significantly improve existing border control efficiency. Through system simulation and performance evaluation by Hyperledger Caliper, the proposed system turns out to be able to improve existing border control efficiency by 3.5 times more on average, which is remarkable. What is more, the dynamic digital twin constructed by BBCVID enables computing techniques such as machine learning and big data analysis applicable to real-world entity, which has a huge potential to create more value by constructing smarter ABC systems

Prototyping and Evaluation of Sensor Data Integration in Cloud Platforms

The SFI Smart Ocean centre has initiated a long-running project which consists of developing a wireless and autonomous marine observation system for monitoring of underwater environments and structures. The increasing popularity of integrating the Internet of Things (IoT) with Cloud Computing has led to promising infrastructures that could realize Smart Ocean's goals. The project will utilize underwater wireless sensor networks (UWSNs) for collecting data in the marine environments and develop a cloud-based platform for retrieving, processing, and storing all the sensor data. Currently, the project is in its early stages and the collaborating partners are researching approaches and technologies that can potentially be utilized. This thesis contributes to the centre's ongoing research, focusing on the aspect of how sensor data can be integrated into three different cloud platforms: Microsoft Azure, Amazon Web Services, and the Google Cloud Platform. The goals were to develop prototypes that could successfully send data to the chosen cloud platforms and evaluate their applicability in context of the Smart Ocean project. In order to determine the most suitable option, each platform was evaluated based on set of defined criteria, focusing on their sensor data integration capabilities. The thesis has also investigated the cloud platforms' supported protocol bindings, as well as several candidate technologies for metadata standards and compared them in surveys. Our evaluation results shows that all three cloud platforms handle sensor data integration in very similar ways, offering a set of cloud services relevant for creating diverse IoT solutions. However, the Google Cloud Platform ranks at the bottom due to the lack of IoT focus on their platform, with less service options, features, and capabilities compared to the other two. Both Microsoft Azure and Amazon Web Services rank very close to each other, as they provide many of the same sensor data integration capabilities, making them the most applicable options.Masteroppgave i Programutvikling samarbeid med HVLPROG399MAMN-PRO

Einbettung einer lokalen Software eines Föderationsmitgliedes zur Bereitstellung in einem Föderationsumfeld (DFN-AAI)

Diese Ausarbeitung beschäftigt sich mit dem vielschichtigen Themenkomplex Identitätsmanagement (IdM) und einem Ansatz, wie Ressourcen bzw. Anwendungen für NutzerInnen in einem Föderationsumfeld bereitgestellt werden können, für die lokale Benutzerkonten notwendig sind. Innerhalb der eigenen Domäne ist diese Bereitstellung ohne weitere Maßnahmen möglich. Grundsätzlich erfolgt der Zugriff auf geteilte Anwendungen von Diensteanbietern (SPs) im Kontext einer Föderation anhand übermittelter Attribute einer zugehörigen Entität. Für domänenfremde NutzerInnen, deren digitale Identität in einem unbekannten IdM verwaltet wird, reicht eine Übermittlung der Attribute für die hier betrachtete Bereitstellung nicht aus, daher wird die Erstellung eines lokalen Benutzerkontos erforderlich. Die Mitgliedschaft der beteiligten Einrichtungen in einer AAI und die Konzepte der Authentifizierung und Autorisierung stellen hier die wichtige Grundlage. Um die benötigten Attribute der Entitäten und die Metadaten der verschiedenen Einrichtungen (Identitätsanbieter, IdPs) auszutauschen, kommt das XML-Framework SAML zum Einsatz. Ein sogenannter SP-IdP-Proxy agiert in diesem Szenario als Zwischenakteur, der fremde Entitäten authentifiziert und autorisiert sowie ein lokales Benutzerkonto im eigenen dafür vorgesehenen Identitätsspeicher in Ausprägung eines OpenLDAP-Verzeichnisdienstes anlegt. Bei Vorhandensein eines zuvor erzeugten Benutzerkontos durch den SP-IdP-Proxy (Unity IdM) kann anschließend auf die am Alfred-Wegener-Institut zur Verfügung gestellte Anwendung (VMware vRealize Automation) innerhalb der Föderation zugegriffen werden. Damit dieser Zugriff allerdings funktionieren kann, muss zuvor eine automatisierte Benutzer-Entitätensynchronisation mit einem selbst entwickelten Bash-Skript durchgeführt werden. Bei diesem Vorhaben kann der Ansatz des Single Sign-on (SSO) nicht verwirklicht werden, für den die Software Shibboleth mit SAML in der DFN-AAI ursprünglich eingesetzt wird; die in diesem Szenario notwendige Erzeugung einer lokalen Referenz (Benutzerkonto) zu einer föderativen digitalen Identität bleibt vorhanden