222 research outputs found
Implementing Azure Active Directory Integration with an Existing Cloud Service
Training Simulator (TraSim) is an online, web-based platform for holding crisis management exercises. It simulates epidemics and other exceptional situations to test the functionality of an organization’s operating instructions in the hour of need. The main objective of this thesis is to further develop the service by delegating its existing authentication and user provisioning mechanisms to a centralized, cloud-based Identity and Access Management (IAM) service. Making use of a centralized access control service is widely known as a Single Sign-On (SSO) implementation which comes with multiple benefits such as increased security, reduced administrative overhead and improved user experience.
The objective originates from a customer organization’s request to enable SSO for TraSim. The research mainly focuses on implementing SSO by integrating TraSim with Azure Active Directory (AD) from a wide range of IAM services since it is considered as an industry standard and already utilized by the customer. Anyhow, the complexity of the integration is kept as reduced as possible to retain compatibility with other services besides Azure AD. While the integration is a unique operation with an endless amount of software stacks that a service can build on and multiple IAM services to choose from, this thesis aims to provide a general guideline of how to approach a resembling assignment.
Conducting the study required extensive search and evaluation of the available literature about terms such as IAM, client-server communication, SSO, cloud services and AD. The literature review is combined with an introduction to the basic technologies that TraSim is built with to justify the choice of OpenID Connect as the authentication protocol and why it was implemented using the mozilla-django-oidc library. The literature consists of multiple online articles, publications and the official documentation of the utilized technologies. The research uses a constructive approach as it focuses into developing and testing a new feature that is merged into the source code of an already existing piece of software
Token Based Authentication and Authorization with Zero-Knowledge Proofs for Enhancing Web API Security and Privacy
This design science study showcases an innovative artifact that utilizes Zero-Knowledge Proofs for API Authentication and Authorization. A comprehensive examination of existing literature and technology is conducted to evaluate the effectiveness of this alternative approach. The study reveals that existing APIs are using slower techniques that don’t scale, can’t take advantage of newer hardware, and have been unable to adequately address current security issues. In contrast, the novel technique presented in this study performs better, is more resilient in privacy sensitive and security settings, and is easy to implement and deploy. Additionally, this study identifies potential avenues for further research that could help advance the field of Web API development in terms of security, privacy, and simplicity
Improved Internet Security Protocols Using Cryptographic One-Way Hash Chains
In this dissertation, new approaches that utilize the one-way cryptographic hash functions in designing improved network security protocols are investigated. The proposed approaches are designed to be scalable and easy to implement in modern technology. The first contribution explores session cookies with emphasis on the threat of session hijacking attacks resulting from session cookie theft or sniffing. In the proposed scheme, these cookies are replaced by easily computed authentication credentials using Lamport\u27s well-known one-time passwords. The basic idea in this scheme revolves around utilizing sparse caching units, where authentication credentials pertaining to cookies are stored and fetched once needed, thereby, mitigating computational overhead generally associated with one-way hash constructions. The second and third proposed schemes rely on dividing the one-way hash construction into a hierarchical two-tier construction. Each tier component is responsible for some aspect of authentication generated by using two different hash functions. By utilizing different cryptographic hash functions arranged in two tiers, the hierarchical two-tier protocol (our second contribution) gives significant performance improvement over previously proposed solutions for securing Internet cookies. Through indexing authentication credentials by their position within the hash chain in a multi-dimensional chain, the third contribution achieves improved performance. In the fourth proposed scheme, an attempt is made to apply the one-way hash construction to achieve user and broadcast authentication in wireless sensor networks. Due to known energy and memory constraints, the one-way hash scheme is modified to mitigate computational overhead so it can be easily applied in this particular setting. The fifth scheme tries to reap the benefits of the sparse cache-supported scheme and the hierarchical scheme. The resulting hybrid approach achieves efficient performance at the lowest cost of caching possible. In the sixth proposal, an authentication scheme tailored for the multi-server single sign-on (SSO) environment is presented. The scheme utilizes the one-way hash construction in a Merkle Hash Tree and a hash calendar to avoid impersonation and session hijacking attacks. The scheme also explores the optimal configuration of the one-way hash chain in this particular environment. All the proposed protocols are validated by extensive experimental analyses. These analyses are obtained by running simulations depicting the many scenarios envisioned. Additionally, these simulations are supported by relevant analytical models derived by mathematical formulas taking into consideration the environment under investigation
MSL Framework: (Minimum Service Level Framework) for cloud providers and users
Cloud Computing ensures parallel computing and emerged as an efficient technology to meet
the challenges of rapid growth of data that we experienced in this Internet age. Cloud
computing is an emerging technology that offers subscription based services, and provide
different models such as IaaS, PaaS and SaaS among other models to cater the needs of
different user groups. The technology has enormous benefits but there are serious concerns
and challenges related to lack of uniform standards or nonexistence of minimum benchmark
for level of services offered across the industry to provide an effective, uniform and reliable
service to the cloud users. As the cloud computing is gaining popularity, organizations and
users are having problems to adopt the service ue to lack of minimum service level
framework which can act as a benchmark in the selection of the cloud provider and provide
quality of service according to the user’s expectations. The situation becomes more critical
due to distributed nature of the service provider which can be offering service from any part
of the world. Due to lack of minimum service level framework that will act as a benchmark
to provide a uniform service across the industry there are serious concerns raised recently interms
of security and data privacy breaches, authentication and authorization issues, lack of
third party audit and identity management problems, integrity, confidentiality and variable
data availability standards, no uniform incident response and monitoring standards,
interoperability and lack of portability standards, identity management issues, lack of
infrastructure protection services standards and weak governance and compliance standards
are major cause of concerns for cloud users. Due to confusion and absence of universal
agreed SLAs for a service model, different quality of services is being provided across the
cloud industry. Currently there is no uniform performance model agreed by all stakeholders;
which can provide performance criteria to measure, evaluate, and benchmark the level of
services offered by various cloud providers in the industry. With the implementation of
General Data Protection Regulation (GDPR) and demand from cloud users to have Green
SLAs that provides better resource allocations mechanism, there will be serious implications
for the cloud providers and its consumers due to lack of uniformity in SLAs and variable
standards of service offered by various cloud providers. This research examines weaknesses in service level agreements offered by various cloud
providers and impact due to absence of uniform agreed minimum service level framework on
the adoption and usage of cloud service. The research is focused around higher education
case study and proposes a conceptual model based on uniform minimum service model that
acts as benchmark for the industry to ensure quality of service to the cloud users in the higher
education institution and remove the barriers to the adoption of cloud technology. The
proposed Minimum Service Level (MSL) framework, provides a set of minimum and
uniform standards in the key concern areas raised by the participants of HE institution which
are essential to the cloud users and provide a minimum quality benchmark that becomes a
uniform standard across the industry. The proposed model produces a cloud computing
implementation evaluation criteria which is an attempt to reduce the adoption barrier of the
cloud technology and set minimum uniform standards followed by all the cloud providers
regardless of their hosting location so that their performance can be measured, evaluated and
compared across the industry to improve the overall QoS (Quality of Service) received by the
cloud users, remove the adoption barriers and concerns of the cloud users and increase the
competition across the cloud industry.A computação em nuvem proporciona a computação paralela e emergiu como uma tecnologia
eficiente para enfrentar os desafios do crescimento rápido de dados que vivemos na era da
Internet. A computação em nuvem é uma tecnologia emergente que oferece serviços
baseados em assinatura e oferece diferentes modelos como IaaS, PaaS e SaaS, entre outros
modelos para atender as necessidades de diferentes grupos de utilizadores. A tecnologia tem
enormes benefícios, mas subsistem sérias preocupações e desafios relacionados com a falta
de normas uniformes ou inexistência de um referencial mínimo para o nível de serviços
oferecidos, na indústria, para proporcionar uma oferta eficaz, uniforme e confiável para os
utilizadores da nuvem. Como a computação em nuvem está a ganhar popularidade, tanto
organizações como utilizadores estão enfrentando problemas para adotar o serviço devido à
falta de enquadramento de nível de serviço mínimo que possa agir como um ponto de
referência na seleção de provedor da nuvem e fornecer a qualidade dos serviços de acordo
com as expectativas do utilizador. A situação torna-se mais crítica, devido à natureza
distribuída do prestador de serviço, que pode ser oriundo de qualquer parte do mundo.
Devido à falta de enquadramento de nível de serviço mínimo que irá agir como um
benchmark para fornecer um serviço uniforme em toda a indústria, existem sérias
preocupações levantadas recentemente em termos de violações de segurança e privacidade de
dados, autenticação e autorização, falta de questões de auditoria de terceiros e problemas de
gestão de identidade, integridade, confidencialidade e disponibilidade de dados, falta de
uniformidade de normas, a não resposta a incidentes e o monitoramento de padrões, a
interoperabilidade e a falta de padrões de portabilidade, questões relacionadas com a gestão
de identidade, falta de padrões de serviços de proteção das infraestruturas e fraca governança
e conformidade de padrões constituem outras importantes causas de preocupação para os
utilizadores. Devido à confusão e ausência de SLAs acordados de modo universal para um
modelo de serviço, diferente qualidade de serviços está a ser fornecida através da nuvem, pela
indústria da computação em nuvem. Atualmente, não há desempenho uniforme nem um
modelo acordado por todas as partes interessadas; que pode fornecer critérios de desempenho
para medir, avaliar e comparar o nível de serviços oferecidos por diversos fornecedores de
computação em nuvem na indústria. Com a implementação do Regulamento Geral de Protecção de Dados (RGPD) e a procura da
nuvem com base no impacto ambiental (Green SLAs), são acrescentadas precupações
adicionais e existem sérias implicações para os forncedores de computação em nuvem e para
os seus consumidores, também devido à falta de uniformidade na multiplicidade de SLAs e
padrões de serviço oferecidos. A presente pesquisa examina as fraquezas em acordos de nível
de serviço oferecidos por fornecedores de computação em nuvem e estuda o impacto da
ausência de um quadro de nível de serviço mínimo acordado sobre a adoção e o uso no
contexto da computação em nuvem. A pesquisa está orientada para a adoção destes serviços
para o caso do ensino superior e as instituições de ensino superior e propõe um modelo
conceptualt com base em um modelo de serviço mínimo uniforme que funciona como
referência para a indústria, para garantir a qualidade do serviço para os utilizadores da nuvem
numa instituição de ensino superior de forma a eliminar as barreiras para a adoção da
tecnologia de computação em nuvem. O nível de serviço mínimo proposto (MSL), fornece
um conjunto mínimo de normas uniformes e na áreas das principais preocupações levantadas
por responsáveis de instituições de ensino superior e que são essenciais, de modo a fornecer
um referencial mínimo de qualidade, que se possa tornar um padrão uniforme em toda a
indústria. O modelo proposto é uma tentativa de reduzir a barreira de adoção da tecnologia de
computação em nuvem e definir normas mínimas seguidas por todos os fornecedores de
computação em nuvem, independentemente do seu local de hospedagem para que os seus
desempenhos possam ser medidos, avaliados e comparados em toda a indústria, para
melhorar a qualidade de serviço (QoS) recebida pelos utilizadores e remova as barreiras de
adoção e as preocupações dos utilizadores, bem como fomentar o aumento da concorrência
em toda a indústria da computação em nuvem
EMI Security Architecture
This document describes the various architectures of the three middlewares that comprise the EMI software stack. It also outlines the common efforts in the security area that allow interoperability between these middlewares. The assessment of the EMI Security presented in this document was performed internally by members of the Security Area of the EMI project
Authentication and Identity Management for the EPOS Project
The increase in the number of online services emphasizes the value of authentication and
identity management that we, even without realizing, depend on. In EPOS this authentication
and identity management are also crucial, by dealing and being responsible for large amounts
of heterogeneous data in multiple formats and from various providers, that can be public or
private. Controlling and identify the access to this data is the key. For this purpose, it is
necessary to create a system capable of authenticating, authorizing, and account the usage of
these services. While services in a development phase can have authentication and authorization
modules directly implemented in them, this is not an option for legacy services that cannot be
modified. This thesis regards the issue of providing secure and interoperable authentication
and authorization framework, associated with correct identity management and an accounting
module, stating the difficulties faced and how to be addressed. These issues are approached by
implementing the proposed methods in one of the GNSS Data and Products TCS services, that
will serve as a study case. While authentication mechanisms have improved constantly over
the years, with the addition of multiple authentication factors, there is still not a clear and
defined way of how authentication should be done. New security threats are always showing
up, and authentication systems need to adapt and improve while maintaining a balance between
security and usability. Our goal is, therefore, to propose a system that can provide a good user
experience allied to security, which can be used in the TCS services or other web services facing
similar problems.A importância da autenticação e gestão de identidades, de que dependemos inconscientemente, aumenta com o crescimento do número de serviços online ao nosso dispor. No EPOS,
devido à disponibilização e gestão de dados heterogéneos de várias entidades, que podem ser
públicas ou privadas, a existência de um sistema de autenticação e gestão de identidades é
também crucial, em que o controlo e identificação do acesso a estes dados é a chave. Numa
fase de desenvolvimento dos serviços, estes módulos de autenticação e autorização podem ser
diretamente implementados e é possível existir uma adaptação do software aos mesmos. No
entanto, há serviços já existentes, cujas alterações implicam mudanças de grande escala e
uma reformulação de todo o sistema, e como tal não é exequível fazer alterações diretas aos
mesmos. Esta dissertação aborda o desenvolvimento de um sistema de autenticação e autorização seguro e interoperável, associado a uma correta gestão de identidades e um módulo de
controlo, identificando os problemas encontrados e propondo soluções para os mesmos. Este
desenvolvimento é aplicado num dos serviços do TCS GNSS Data and Products e servirá como
caso de estudo. Embora os mecanismos de autenticação tenham melhorado continuamente ao
longo dos anos, com a adição de vários fatores de autenticação, ainda não existe um método
único e claro de como a autenticação deve ser feita. Novas ameaças estão sempre a surgir e
os sistemas atuais precisam de se adaptar e melhorar, mantendo um equilíbrio entre segurança
e usabilidade. O nosso objetivo é propor um sistema que possa aliar a segurança a uma boa
experiência para o utilizador, e que possa ser utilizado não só nos serviços do TCS, mas também
em outros serviços web que enfrentem problemas semelhantes
Context-aware multi-factor authentication
Trabalho apresentado no âmbito do Mestrado em Engenharia Informática, como requisito parcial para obtenção do grau de Mestre em Engenharia InformáticaAuthentication systems, as available today, are inappropriate for the requirements of ubiquitous,
heterogeneous and large scale distributed systems. Some important limitations are: (i)
the use of weak or rigid authentication factors as principal’s identity proofs, (ii) non flexibility
to combine different authentication modes for dynamic and context-aware interaction criteria,
(iii) not being extensible models to integrate new or emergent pervasive authentication factors
and (iv) difficulty to manage the coexistence of multi-factor authentication proofs in a unified
single sign-on solution. The objective of this dissertation is the design, implementation and
experimental evaluation of a platform supporting multi-factor authentication services, as a contribution
to overcome the above limitations. The devised platform will provide a uniform and
flexible authentication base for multi-factor authentication requirements and context-aware authentication
modes for ubiquitous applications and services. The main contribution is focused
on the design and implementation of an extensible authentication framework model, integrating
classic as well as new pervasive authentication factors that can be composed for different
context-aware dynamic requirements. Flexibility criteria are addressed by the establishment of a
unified authentication back-end, supporting authentication modes as defined processes and rules
expressed in a SAML based declarative markup language. The authentication base supports an
extended single sign-on system that can be dynamically tailored for multi-factor authentication
policies, considering large scale distributed applications and according with ubiquitous interaction
needs
MSL Framework: (Minimum Service Level Framework) for Cloud Providers and Users
Cloud Computing ensures parallel computing and emerged as an efficient technology to meet
the challenges of rapid growth of data that we experienced in this Internet age. Cloud
computing is an emerging technology that offers subscription based services, and provide
different models such as IaaS, PaaS and SaaS among other models to cater the needs of
different user groups. The technology has enormous benefits but there are serious concerns
and challenges related to lack of uniform standards or nonexistence of minimum benchmark
for level of services offered across the industry to provide an effective, uniform and reliable
service to the cloud users. As the cloud computing is gaining popularity, organizations and
users are having problems to adopt the service ue to lack of minimum service level
framework which can act as a benchmark in the selection of the cloud provider and provide
quality of service according to the user’s expectations. The situation becomes more critical
due to distributed nature of the service provider which can be offering service from any part
of the world. Due to lack of minimum service level framework that will act as a benchmark
to provide a uniform service across the industry there are serious concerns raised recently interms
of security and data privacy breaches, authentication and authorization issues, lack of
third party audit and identity management problems, integrity, confidentiality and variable
data availability standards, no uniform incident response and monitoring standards,
interoperability and lack of portability standards, identity management issues, lack of
infrastructure protection services standards and weak governance and compliance standards
are major cause of concerns for cloud users. Due to confusion and absence of universal
agreed SLAs for a service model, different quality of services is being provided across the
cloud industry. Currently there is no uniform performance model agreed by all stakeholders;
which can provide performance criteria to measure, evaluate, and benchmark the level of
services offered by various cloud providers in the industry. With the implementation of
General Data Protection Regulation (GDPR) and demand from cloud users to have Green
SLAs that provides better resource allocations mechanism, there will be serious implications
for the cloud providers and its consumers due to lack of uniformity in SLAs and variable
standards of service offered by various cloud providers. This research examines weaknesses in service level agreements offered by various cloud
providers and impact due to absence of uniform agreed minimum service level framework on
the adoption and usage of cloud service. The research is focused around higher education
case study and proposes a conceptual model based on uniform minimum service model that
acts as benchmark for the industry to ensure quality of service to the cloud users in the higher
education institution and remove the barriers to the adoption of cloud technology. The
proposed Minimum Service Level (MSL) framework, provides a set of minimum and
uniform standards in the key concern areas raised by the participants of HE institution which
are essential to the cloud users and provide a minimum quality benchmark that becomes a
uniform standard across the industry. The proposed model produces a cloud computing
implementation evaluation criteria which is an attempt to reduce the adoption barrier of the
cloud technology and set minimum uniform standards followed by all the cloud providers
regardless of their hosting location so that their performance can be measured, evaluated and
compared across the industry to improve the overall QoS (Quality of Service) received by the
cloud users, remove the adoption barriers and concerns of the cloud users and increase the
competition across the cloud industry.A computação em nuvem proporciona a computação paralela e emergiu como uma tecnologia
eficiente para enfrentar os desafios do crescimento rápido de dados que vivemos na era da
Internet. A computação em nuvem é uma tecnologia emergente que oferece serviços
baseados em assinatura e oferece diferentes modelos como IaaS, PaaS e SaaS, entre outros
modelos para atender as necessidades de diferentes grupos de utilizadores. A tecnologia tem
enormes benefícios, mas subsistem sérias preocupações e desafios relacionados com a falta
de normas uniformes ou inexistência de um referencial mínimo para o nível de serviços
oferecidos, na indústria, para proporcionar uma oferta eficaz, uniforme e confiável para os
utilizadores da nuvem. Como a computação em nuvem está a ganhar popularidade, tanto
organizações como utilizadores estão enfrentando problemas para adotar o serviço devido à
falta de enquadramento de nível de serviço mínimo que possa agir como um ponto de
referência na seleção de provedor da nuvem e fornecer a qualidade dos serviços de acordo
com as expectativas do utilizador. A situação torna-se mais crítica, devido à natureza
distribuída do prestador de serviço, que pode ser oriundo de qualquer parte do mundo.
Devido à falta de enquadramento de nível de serviço mínimo que irá agir como um
benchmark para fornecer um serviço uniforme em toda a indústria, existem sérias
preocupações levantadas recentemente em termos de violações de segurança e privacidade de
dados, autenticação e autorização, falta de questões de auditoria de terceiros e problemas de
gestão de identidade, integridade, confidencialidade e disponibilidade de dados, falta de
uniformidade de normas, a não resposta a incidentes e o monitoramento de padrões, a
interoperabilidade e a falta de padrões de portabilidade, questões relacionadas com a gestão
de identidade, falta de padrões de serviços de proteção das infraestruturas e fraca governança
e conformidade de padrões constituem outras importantes causas de preocupação para os
utilizadores. Devido à confusão e ausência de SLAs acordados de modo universal para um
modelo de serviço, diferente qualidade de serviços está a ser fornecida através da nuvem, pela
indústria da computação em nuvem. Atualmente, não há desempenho uniforme nem um
modelo acordado por todas as partes interessadas; que pode fornecer critérios de desempenho
para medir, avaliar e comparar o nível de serviços oferecidos por diversos fornecedores de
computação em nuvem na indústria. Com a implementação do Regulamento Geral de Protecção de Dados (RGPD) e a procura da
nuvem com base no impacto ambiental (Green SLAs), são acrescentadas precupações
adicionais e existem sérias implicações para os forncedores de computação em nuvem e para
os seus consumidores, também devido à falta de uniformidade na multiplicidade de SLAs e
padrões de serviço oferecidos. A presente pesquisa examina as fraquezas em acordos de nível
de serviço oferecidos por fornecedores de computação em nuvem e estuda o impacto da
ausência de um quadro de nível de serviço mínimo acordado sobre a adoção e o uso no
contexto da computação em nuvem. A pesquisa está orientada para a adoção destes serviços
para o caso do ensino superior e as instituições de ensino superior e propõe um modelo
conceptualt com base em um modelo de serviço mínimo uniforme que funciona como
referência para a indústria, para garantir a qualidade do serviço para os utilizadores da nuvem
numa instituição de ensino superior de forma a eliminar as barreiras para a adoção da
tecnologia de computação em nuvem. O nível de serviço mínimo proposto (MSL), fornece
um conjunto mínimo de normas uniformes e na áreas das principais preocupações levantadas
por responsáveis de instituições de ensino superior e que são essenciais, de modo a fornecer
um referencial mínimo de qualidade, que se possa tornar um padrão uniforme em toda a
indústria. O modelo proposto é uma tentativa de reduzir a barreira de adoção da tecnologia de
computação em nuvem e definir normas mínimas seguidas por todos os fornecedores de
computação em nuvem, independentemente do seu local de hospedagem para que os seus
desempenhos possam ser medidos, avaliados e comparados em toda a indústria, para
melhorar a qualidade de serviço (QoS) recebida pelos utilizadores e remova as barreiras de
adoção e as preocupações dos utilizadores, bem como fomentar o aumento da concorrência
em toda a indústria da computação em nuvem
Contributions to the privacy provisioning for federated identity management platforms
Identity information, personal data and user’s profiles are key assets for organizations
and companies by becoming the use of identity management (IdM) infrastructures a prerequisite
for most companies, since IdM systems allow them to perform their business
transactions by sharing information and customizing services for several purposes in more
efficient and effective ways.
Due to the importance of the identity management paradigm, a lot of work has been done
so far resulting in a set of standards and specifications. According to them, under the
umbrella of the IdM paradigm a person’s digital identity can be shared, linked and reused
across different domains by allowing users simple session management, etc. In this way,
users’ information is widely collected and distributed to offer new added value services
and to enhance availability. Whereas these new services have a positive impact on users’
life, they also bring privacy problems.
To manage users’ personal data, while protecting their privacy, IdM systems are the ideal
target where to deploy privacy solutions, since they handle users’ attribute exchange.
Nevertheless, current IdM models and specifications do not sufficiently address comprehensive
privacy mechanisms or guidelines, which enable users to better control over the
use, divulging and revocation of their online identities. These are essential aspects, specially
in sensitive environments where incorrect and unsecured management of user’s data
may lead to attacks, privacy breaches, identity misuse or frauds.
Nowadays there are several approaches to IdM that have benefits and shortcomings, from
the privacy perspective.
In this thesis, the main goal is contributing to the privacy provisioning for federated
identity management platforms. And for this purpose, we propose a generic architecture
that extends current federation IdM systems. We have mainly focused our contributions
on health care environments, given their particularly sensitive nature. The two main
pillars of the proposed architecture, are the introduction of a selective privacy-enhanced
user profile management model and flexibility in revocation consent by incorporating an
event-based hybrid IdM approach, which enables to replace time constraints and explicit
revocation by activating and deactivating authorization rights according to events. The
combination of both models enables to deal with both online and offline scenarios, as well
as to empower the user role, by letting her to bring together identity information from
different sources.
Regarding user’s consent revocation, we propose an implicit revocation consent mechanism
based on events, that empowers a new concept, the sleepyhead credentials, which
is issued only once and would be used any time. Moreover, we integrate this concept
in IdM systems supporting a delegation protocol and we contribute with the definition
of mathematical model to determine event arrivals to the IdM system and how they are
managed to the corresponding entities, as well as its integration with the most widely
deployed specification, i.e., Security Assertion Markup Language (SAML).
In regard to user profile management, we define a privacy-awareness user profile management
model to provide efficient selective information disclosure. With this contribution a
service provider would be able to accesses the specific personal information without being
able to inspect any other details and keeping user control of her data by controlling
who can access. The structure that we consider for the user profile storage is based on
extensions of Merkle trees allowing for hash combining that would minimize the need of
individual verification of elements along a path. An algorithm for sorting the tree as we
envision frequently accessed attributes to be closer to the root (minimizing the access’
time) is also provided.
Formal validation of the above mentioned ideas has been carried out through simulations
and the development of prototypes. Besides, dissemination activities were performed in
projects, journals and conferences.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: María Celeste Campo Vázquez.- Secretario: María Francisca Hinarejos Campos.- Vocal: Óscar Esparza Martí
Participant Domain Name Token Profile for security enhancements supporting service oriented architecture
This research proposes a new secure token profile for improving the existing Web Services security standards. It provides a new authentication mechanism. This additional level of security is important for the Service-Oriented Architecture (SOA), which is an architectural style that uses a set of principles and design rules to shape interacting applications and maintain interoperability. Currently, the market push is towards SOA, which provides several advantages, for instance: integration with heterogeneous systems, services reuse, standardization of data exchange, etc. Web Services is one of the technologies to implement SOA and it can be implemented using Simple Object Access Protocol (SOAP).
A SOAP-based Web Service relies on XML for its message format and common application layer protocols for message negotiation and transmission. However, it is a security challenge when a message is transmitted over the network, especially on the Internet. The Organization for Advancement of Structured Information Standards (OASIS) announced a set of Web Services Security standards that focus on two major areas. “Who” can use the Web Service and “What” are the permissions. However, the location or domain of the message sender is not authenticated. Therefore, a new secure token profile called: Participant Domain Name Token Profile (PDNT) is created to tackle this issue.
The PDNT provides a new security feature, which the existing token profiles do not address. Location-based authentication is achieved if adopting the PDNT when using Web Services. In the performance evaluation, PDNT is demonstrated to be significantly faster than other secure token profiles. The processing overhead of using the PDNT with other secure token profiles is very small given the additional security provided. Therefore all the participants can acquire the benefits of increased security and performance at low cost
- …